AvMed Sued Over Laptop Breach

Class Action Suit Seeks Damages, Security Measures
AvMed Sued Over Laptop Breach
In the aftermath of the largest healthcare information breach reported to federal authorities so far under the HITECH Act, five AvMed Health Plan customers have filed a class-action lawsuit on behalf of the 1.2 million potentially affected.

The lawsuit contends that the insurer took inadequate steps to protect patient information, violating HIPAA and not complying with industry standards and its own policies.

An AvMed spokesman says the insurer still has received no evidence that the information on a stolen laptop has been used to commit fraud or for any other purpose. She declined to comment on the lawsuit.

The suit seeks statutory and punitive damages, without specifying an amount, and asks the court to require AvMed to protect all data in compliance with HIPAA and industry standards.

The incident, which dates back to Dec. 11, 2009, is the largest reported so far under the HITECH Act's breach notification rule, which mandates reporting breaches that affect 500 or more individuals within 60 days to the Health and Human Services' Office for Civil Rights.

Stolen Laptop Not Encrypted

Two laptops were stolen from an AvMed facility in Gainesville, Fla., and one, which contained encrypted patient information, was recovered with the help of a tracking mechanism, the insurer reported. The other device, which was not recovered, included unencrypted information, including names, addresses, dates of birth, Social Security numbers and healthcare details.

"Merely taking the time to encrypt their laptops likely would have obviated any harm done by this theft," says the plaintiff's attorney, Bill Gray of Edelson McGuire, which specializes in filing class action suits. "It is mind-boggling that such simple procedures were not done to protect AvMed's customers, who place their trust in their insurance company to protect their highly personal information."

HIPAA and the HITECH Act do not explicitly mandate the use of encryption on any computer device. But the HIPAA security rule requires that patient information be adequately protected to address any risks identified in a risk assessment.

Breach Notification Delay

In February, when it initially revealed the incident, the Florida insurer said 208,000 current and former members had potentially been affected. Later, it upped that total to 360,000 and notified them all. Then in June, the company announced the total number of patients potentially affected was 1.2 million.

"As this investigation progressed with the involvement of leading data security experts, AvMed concluded that there is reason to believe that similar information of approximately 860,000 additional current and former members may have been included," the insurer said in a June 3 statement. The company hired a forensics team from Price Waterhouse Coopers to help pinpoint the data involved, the AvMed spokesman said.

In June, the insurer began notifying the 860,000 additional individuals affected about the breach incident. It offered two years of free identity protection from the Debix Identity Protection Network to all 1.2 million affected.

AvMed also announced in June that it was encrypting all its laptops.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.