Class-action lawsuit brought against AvMed over breach

Share this article:

Story updated on Tuesday, Nov. 23 at 5:19 p.m. EST

A Florida-based health insurance provider has been hit with a class-action lawsuit after it revealed earlier this year that thieves had stolen two company laptops containing the personal information of members.

The suit, filed in Florida, seeks unspecified damages for customers whose private medical data was contained on the machines, according to a statement last week from law firm Edelson McGuire.

The complaint also contends that AvMed initially failed to accurately quantify the number of individuals affected. When the breach was revealed in February, the company reported that the personal information, including names, addresses, phone numbers, Social Security numbers and medical data belonging to 208,000 people, was on the laptops, which were stolen from a facility in Gainesville.

But, in June, the company revised the total number of victims to 1.2 million, making it one of the largest health care breaches in recent memory.

Bill Gray, the plaintiff's attorney, said AvMed failed to adhere to regulations under the Health Insurance Portability and Accountability Act (HIPAA).

"Merely taking the time to encrypt their laptops likely would have obviated any harm done by this theft," Gray said. "It is mind-boggling that such simple procedures were not done to protect AvMed's customers, who placed their trust in their insurance company to protect their highly personal information."

Neither HIPAA nor the complementary HITECH Act, passed as part of the 2009 federal economic stimulus bill, specifically require encryption. HITECH provides guidance on securing protected health information and details that if a breached organization uses encryption, it is not subject to breach notification rules or resultant lawsuits.

AvMed spokeswoman Conchita Ruiz told on Tuesday that company policy is to not comment on pending litigation. But she said the business was not aware of any personal data being misused as a result of the breach.

That could prove beneficial to AvMed's case, as there is precedent of judges tossing breach-related lawsuits if the plaintiffs are unable to show financial harm to the victim.

AvMed is providing victims with two years of free identity theft protection.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.