Healthcare News & Insights

Victims of massive data breach sue healthcare group

Health data breaches can create a number of costs for hospitals. One of them: legal fees resulting from patient lawsuits. 

lawA class action lawsuit has been filed against Illinois-based Advocate Medical Group, the Chicago Tribune reports. The complaint alleges the health system failed to take steps to keep patient data secure.

The suit stems from a data breach in which four computers were stolen from one of Advocate’s administrative offices in July. The machines contained information about patients who had visited the group’s doctors since as far back as the early 1990s. That totaled more than 4 million people.

The computers didn’t contain full medical records, but names, addresses, dates of birth and Social Security numbers were held on the machines, along with diagnoses, insurance information and other health data for some patients.

The kicker: The computers weren’t encrypted, meaning the thieves could have gained access to that data without much trouble. But so far, it doesn’t seem any patient data has been used by criminals in any way, Advocate said in a statement announcing the data breach.

According to the Department of Health and Human Services, that was the second-largest data breach reported since mandatory notification requirements went into effect in 2009.

Keys for preventing lawsuits

While the outcome of this case is still to be determined, in previous data breach lawsuits, courts have ruled that victims can’t sue unless they’ve suffered actual financial damage as a result of the incident.

That doesn’t necessarily mean affected patients would have to be victims of identity theft or other scams. In one suit involving a breach of credit card information, the judge ruled in favor of the plaintiffs because some of the breach victims had paid for credit monitoring services or were charged fees by their bank to replace credit cards.

While the best way to limit legal liability is to keep breaches from happening in the first place, the fact is that no IT system is 100% secure. That’s why it’s important to respond to health data breaches in a way that minimizes the risks for patients.

Here are the breach response steps outlined by the Better Business Bureau:

  1. Create a breach notification policy
  2. Train employees to recognize breaches
  3. Gather the facts immediately after a breach
  4. If financial info was taken, notify appropriate financial institutions
  5. Talk to outside counsel, and
  6. Notify affected employees.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind