The Chicago Tribune reports that Advocate Medical Group is facing a class action lawsuit from patients who say the organization didn't do enough to protect their data prior to a breach in July that exposed more than 4 million patients' names, addresses, birthdates and Social Security numbers (h/t PHIprivacy.net).
Four password-protected but not encrypted computers were stolen when an Advocate administrative office was burglarized during the night of July 14, 2013.
Clifford Law Offices, which has filed the lawsuit, claims the organization was negligent in protecting private data, and failed to use encryption and other basic security measures on its patients' behalf. "In this age of advanced technology, Advocate had to realize that its unorthodox methodology for maintaining important and private data posed a risk to the safety and security of their patients," Clifford senior partner Robert A. Clifford said in a statement. "Equally disturbing is the fact that an organization like Advocate would have the private and confidential information of some four million patients stored in an unencrypted environment and saved to the computers' hard drives."
In a statement provided to the Chicago Tribute, Advocate said, "We want to reassure our patients that we do not believe the data was targeted and we have no information that leads us to believe that the information has been misused. Thus, we feel confident the facts will demonstrate that the lawsuit is without merit."
According to the Tribune, the Advocate breach was the second-largest loss of unsecured protected health information reported to the Department of Health and Human Services since it implemented a mandatory notification rule in 2009.