November 23, 2010

Class-action lawsuit brought against AvMed over breach

Story updated on Tuesday, Nov. 23 at 5:19 p.m. EST

A Florida-based health insurance provider has been hit with a class-action lawsuit after it revealed earlier this year that thieves had stolen two company laptops containing the personal information of members.

The suit, filed in Florida, seeks unspecified damages for customers whose private medical data was contained on the machines, according to a statement last week from law firm Edelson McGuire.

The complaint also contends that AvMed initially failed to accurately quantify the number of individuals affected. When the breach was revealed in February, the company reported that the personal information, including names, addresses, phone numbers, Social Security numbers and medical data belonging to 208,000 people, was on the laptops, which were stolen from a facility in Gainesville.

But, in June, the company revised the total number of victims to 1.2 million, making it one of the largest health care breaches in recent memory.

Bill Gray, the plaintiff's attorney, said AvMed failed to adhere to regulations under the Health Insurance Portability and Accountability Act (HIPAA).

"Merely taking the time to encrypt their laptops likely would have obviated any harm done by this theft," Gray said. "It is mind-boggling that such simple procedures were not done to protect AvMed's customers, who placed their trust in their insurance company to protect their highly personal information."

Neither HIPAA nor the complementary HITECH Act, passed as part of the 2009 federal economic stimulus bill, specifically require encryption. HITECH provides guidance on securing protected health information and details that if a breached organization uses encryption, it is not subject to breach notification rules or resultant lawsuits.

AvMed spokeswoman Conchita Ruiz told SCMagazineUS.com on Tuesday that company policy is to not comment on pending litigation. But she said the business was not aware of any personal data being misused as a result of the breach.

That could prove beneficial to AvMed's case, as there is precedent of judges tossing breach-related lawsuits if the plaintiffs are unable to show financial harm to the victim.

AvMed is providing victims with two years of free identity theft protection.

Related Articles
Related Topics
Related Links

More in News

Operators again revive Pushdo botnet, use a popular tactic to stay hidden ...

Botnet operators are using a domain-generation algorithm to conceal their command-and-control center. And once they knew security researchers were on to their tricks, they got even slicker.

Mac spyware discovered on Angolan dissident's computer at Oslo Freedom Forum

Mac spyware discovered on Angolan dissident's computer at ...

Security researchers are studying an apparent new strain of Mac malware that turned up on the computer of a participant at the just-concluded Oslo Freedom Forum, an annual human rights ...

Judge in London sentences LulzSec members

Judge in London sentences LulzSec members

The sentences range from 20 to 32 months, with none of the defendants likely to serve the full time. There has been no formal request to extradite the U.K. men ...