Emory Faces Breach LawsuitIncident Involves 10 Missing Backup Disks
See Also: Ransomware: The Look at Future Trends
The lawsuit was filed on behalf of the residents of Georgia who may have been affected by the breach, which likely number 200,000 or more, it states. It seeks $1,000 in damages for each resident affected, plus other damages to be determined.
The lawsuit alleges that Emory took inadequate steps to protect the information on the disks, leading to an invasion of privacy. It also alleges negligence. Taking such steps as encrypting the disks and training and supervising staff responsible for securing data "are affordable and easily achievable safeguards for preventing what happened," attorney Keith Jackson told HealthcareInfoSecurity. His firm, Riley & Jackson, is one of two involved in filing the lawsuit.
Emory Healthcare did not reply to a request for comment on the lawsuit.
In a blog about the incident, Emory notes that it has no evidence that any personal information has been misused as a result of the breach, and an investigation continues. It also notes Emory is offering 315,000 surgical patients who were potentially affected free credit monitoring services.
The information on the unencrypted disks, missing from a storage area at Emory University Hospital, includes Social Security numbers for 228,000 patients, according to the blog. Other information on the disks includes patient names; dates of surgery; diagnoses; procedure codes or names of surgical procedures; device implant information; surgeons' names and anesthesiologists' names, according to a news release.
Patients affected were treated at Emory University Hospital, Emory University Hospital Midtown or the Emory Clinic Ambulatory Surgery Center between September 1990 and April 2007, the blog notes.
An investigation determined the disks were "removed" between Feb. 7 and Feb. 20, according to the blog. "They contained data files from an obsolete software system that was deactivated in 2007. This deactivated system was accessed very infrequently and only as requested by either patients or their physicians. They last time they were accessed was in 2010."
Emory Healthcare has launched an initiative to "reinforce and clarify existing policies and procedures for safeguarding the security and privacy of sensitive information," the blog notes. "Emory is conducting a comprehensive inventory of all physical spaces across the system to ensure data are properly secured."