Advocate Medical Group didn't adequately secure data, class-action suit says

[InfoSec News <alerts () infosecnews org>]

http://www.chicagotribune.com/news/local/breaking/chi-advocate-medical-group-didnt-adequately-secure-data-classaction-suit-says-20130905,0,7744379.story

By Mitch Smith
Tribune reporter
September 5, 2013

Advocate Medical Group, already under federal and state investigation after the 
theft of computers containing personal information on millions of people, is 
now facing a class-action lawsuit from patients who say the Downers Grove-based 
physician group didn’t do enough to protect their private data.

The suit, filed in Cook County Circuit Court, says the health care nonprofit 
violated privacy regulations by failing to use encryption and other security 
measures on the four computers that were stolen from its Park Ridge offices in 
July. The computers contained information on more than 4 million patients.

Names, addresses, dates of birth and Social Security numbers are risk on the 
computers, which were password-protected but not encrypted, Advocate said. 
While full medical records were not on the computers, medical data for some 
patients also is at risk, including diagnoses, medical record numbers, medical 
service codes and health insurance information.

The breach, revealed last month, affects patients seen by Advocate Medical 
Group physicians from the early 1990s through July. It’s the second-largest 
loss of unsecured protected health information reported to the Department of 
Health and Human Services since it implemented a mandatory notification rule in 
2009.

In a statement, Advocate took issue with the lawsuit but said “we deeply regret 
any inconvenience” the breach caused.

[...]

--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/