Risk Assessments/Management, Data Security, Encryption, Breach, Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Class-action lawsuit brought against AvMed over breach

Story updated on Tuesday, Nov. 23 at 5:19 p.m. EST

A Florida-based health insurance provider has been hit with a class-action lawsuit after it revealed earlier this year that thieves had stolen two company laptops containing the personal information of members.

The suit, filed in Florida, seeks unspecified damages for customers whose private medical data was contained on the machines, according to a statement last week from law firm Edelson McGuire.

The complaint also contends that AvMed initially failed to accurately quantify the number of individuals affected. When the breach was revealed in February, the company reported that the personal information, including names, addresses, phone numbers, Social Security numbers and medical data belonging to 208,000 people, was on the laptops, which were stolen from a facility in Gainesville.

But, in June, the company revised the total number of victims to 1.2 million, making it one of the largest health care breaches in recent memory.

Bill Gray, the plaintiff's attorney, said AvMed failed to adhere to regulations under the Health Insurance Portability and Accountability Act (HIPAA).

"Merely taking the time to encrypt their laptops likely would have obviated any harm done by this theft," Gray said. "It is mind-boggling that such simple procedures were not done to protect AvMed's customers, who placed their trust in their insurance company to protect their highly personal information."

Neither HIPAA nor the complementary HITECH Act, passed as part of the 2009 federal economic stimulus bill, specifically require encryption. HITECH provides guidance on securing protected health information and details that if a breached organization uses encryption, it is not subject to breach notification rules or resultant lawsuits.

AvMed spokeswoman Conchita Ruiz told SCMagazineUS.com on Tuesday that company policy is to not comment on pending litigation. But she said the business was not aware of any personal data being misused as a result of the breach.

That could prove beneficial to AvMed's case, as there is precedent of judges tossing breach-related lawsuits if the plaintiffs are unable to show financial harm to the victim.

AvMed is providing victims with two years of free identity theft protection.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.