AvMed Sued Over Laptop BreachClass Action Suit Seeks Damages, Security Measures
The lawsuit contends that the insurer took inadequate steps to protect patient information, violating HIPAA and not complying with industry standards and its own policies.
An AvMed spokesman says the insurer still has received no evidence that the information on a stolen laptop has been used to commit fraud or for any other purpose. She declined to comment on the lawsuit.
The suit seeks statutory and punitive damages, without specifying an amount, and asks the court to require AvMed to protect all data in compliance with HIPAA and industry standards.
The incident, which dates back to Dec. 11, 2009, is the largest reported so far under the HITECH Act's breach notification rule, which mandates reporting breaches that affect 500 or more individuals within 60 days to the Health and Human Services' Office for Civil Rights.
Stolen Laptop Not EncryptedTwo laptops were stolen from an AvMed facility in Gainesville, Fla., and one, which contained encrypted patient information, was recovered with the help of a tracking mechanism, the insurer reported. The other device, which was not recovered, included unencrypted information, including names, addresses, dates of birth, Social Security numbers and healthcare details.
"Merely taking the time to encrypt their laptops likely would have obviated any harm done by this theft," says the plaintiff's attorney, Bill Gray of Edelson McGuire, which specializes in filing class action suits. "It is mind-boggling that such simple procedures were not done to protect AvMed's customers, who place their trust in their insurance company to protect their highly personal information."
HIPAA and the HITECH Act do not explicitly mandate the use of encryption on any computer device. But the HIPAA security rule requires that patient information be adequately protected to address any risks identified in a risk assessment.
Breach Notification DelayIn February, when it initially revealed the incident, the Florida insurer said 208,000 current and former members had potentially been affected. Later, it upped that total to 360,000 and notified them all. Then in June, the company announced the total number of patients potentially affected was 1.2 million.
"As this investigation progressed with the involvement of leading data security experts, AvMed concluded that there is reason to believe that similar information of approximately 860,000 additional current and former members may have been included," the insurer said in a June 3 statement. The company hired a forensics team from Price Waterhouse Coopers to help pinpoint the data involved, the AvMed spokesman said.
In June, the insurer began notifying the 860,000 additional individuals affected about the breach incident. It offered two years of free identity protection from the Debix Identity Protection Network to all 1.2 million affected.
AvMed also announced in June that it was encrypting all its laptops.