Emory Faces Breach Lawsuit

Incident Involves 10 Missing Backup Disks
Emory Faces Breach Lawsuit

Emory Healthcare in Atlanta faces a class action lawsuit seeking more than $200 million in damages following a breach involving 10 missing unencrypted backup disks.

See Also: How to Scale Your Vendor Risk Management Program

The lawsuit was filed on behalf of the residents of Georgia who may have been affected by the breach, which likely number 200,000 or more, it states. It seeks $1,000 in damages for each resident affected, plus other damages to be determined.

The lawsuit alleges that Emory took inadequate steps to protect the information on the disks, leading to an invasion of privacy. It also alleges negligence. Taking such steps as encrypting the disks and training and supervising staff responsible for securing data "are affordable and easily achievable safeguards for preventing what happened," attorney Keith Jackson told HealthcareInfoSecurity. His firm, Riley & Jackson, is one of two involved in filing the lawsuit.

Emory Healthcare did not reply to a request for comment on the lawsuit.

Incident Details

In a blog about the incident, Emory notes that it has no evidence that any personal information has been misused as a result of the breach, and an investigation continues. It also notes Emory is offering 315,000 surgical patients who were potentially affected free credit monitoring services.

The information on the unencrypted disks, missing from a storage area at Emory University Hospital, includes Social Security numbers for 228,000 patients, according to the blog. Other information on the disks includes patient names; dates of surgery; diagnoses; procedure codes or names of surgical procedures; device implant information; surgeons' names and anesthesiologists' names, according to a news release.

Patients affected were treated at Emory University Hospital, Emory University Hospital Midtown or the Emory Clinic Ambulatory Surgery Center between September 1990 and April 2007, the blog notes.

An investigation determined the disks were "removed" between Feb. 7 and Feb. 20, according to the blog. "They contained data files from an obsolete software system that was deactivated in 2007. This deactivated system was accessed very infrequently and only as requested by either patients or their physicians. They last time they were accessed was in 2010."

Emory Healthcare has launched an initiative to "reinforce and clarify existing policies and procedures for safeguarding the security and privacy of sensitive information," the blog notes. "Emory is conducting a comprehensive inventory of all physical spaces across the system to ensure data are properly secured."


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network