Just When You Think the Breach is Over, the Lawsuit Comes
On November 16th, a class of plaintiffs sued AvMed for a massive breach that resulted in their personal information being put at risk. In December of 2009, unencrypted laptop computers were stolen from an AvMed facility in Gainesville, Fla. AvMed initially believed information on about 208,000 members was at risk, but by June 2009 it became apparent that the information of over 1.22 million members was at risk. Information contained on the laptops included a mixture of name, address, date of birth, Social Security number, phone number, and diagnosis, procedure and prescription information. The attorneys representing the class of plaintiffs maintain that had AvMed taken time to encrypt their laptops, this simple step would have obviated any harm done by the theft.
Like other breaches under HITECH involving PHI of 500 or more individuals, the AvMed breach is posted on HHS's Web site. However, although the federal government has enforcement jurisdiction over HITECH, there is still no private right that would allow one to sue under HITECH for breaches (although in the future individual may be eligible to collect a percentage of any Civil Monetary Penalties collected and resulting from violation of HIPAA and/or HITECh that result in "harm" to such individual).
Attorneys attempting to sue for damages resulting from a breach are often hard-pressed to keep their complaint from being tossed, unless they can demonstrate the plaintiff suffered actual harm caused by the breach. However, the attorneys representing the class of plaintiffs in the AvMedcase are commercial litigators, and so it will be interesting to see if they come up with more unique causes of action under consumer protection or other laws, and how this will be tested in court. Stay tuned...