Advocate Medical Sued for Breach of Patient Records
An Illinois health care nonprofit is facing a class action lawsuit for failing to adequately safeguard the personal medical information of its patients.
The suit was filed against Advocate Medical Group on behalf of Pierre Petrich and her daughter in Cook County Court last week, stemming from a July computer theft from the company’s office.
The theft may have compromised the records of 4 million patients going as far back as the early ’90s, giving the burglars access to personal information like names, addresses, dates of birth, Social Security numbers, diagnoses, medical record numbers, medical service codes and health insurance data.
The suit accuses Advocate of negligence, violation of consumer fraud and deceptive practice laws, invasion of privacy and intentional infliction of emotional distress. The organization failed to take basic steps to protect personal information, like encryption, and as a result ran afoul of the federal HIPAA Act as well as state laws by leaving the data vulnerable, the complaint alleges.
Advocate issued a statement which said that “we deeply regret any inconvenience” but “want to reassure our patients that we do not believe the data was targeted and we have no information that leads us to believe that the information has been misused. Thus, we feel confident the facts will demonstrate that the lawsuit is without merit.”
Plain Old Know Better
Consumers might find it shocking that some of the most intimate details about their lives could be available to anyone with the gumption to walk into an office and steal a few computers.
“As a result of failing to follow basic operating procedures, patients’ private and confidential information has been compromised,” says Shannon M. McNulty, an attorney with Clifford Law Offices, which is handling the plaintiffs’ case.
It’s not as if there aren’t laws and guidelines in place to safeguard that information. “Health care organizations are obligated to know and train their employees on how to protect patients’ most private information,” says McNulty. “It’s a very basic level of understanding with respect to how to maintain and secure information that should not be seen by unauthorized users or individuals, as the case may be with an alleged theft.”
There’s little room for an organization that serves as many patients as Advocate does to try to claim ignorance of the relevant privacy laws. “An entity such as Advocate does not lack the resources and knowledge to plain old know better,” McNulty says. “HIPAA has been around since 1996. Illinois has some state laws that as well give guidance and requirements to health care organizations. Even the Department of Health and Human Services has resources available so that health care organizations can comply with federal and state laws.”
Patients whose data was involved should have been notified by Advocate, and should contact the company if they believe they may have been affected but have not yet been contacted. As the litigation advances the plaintiff firm expects to post news and additional information about how to sign up for the class on its website.