A class-action law suit has been filed against Advocate Medical Group in Downers Grove, Ill, by patients who suffered from a massive breach in the group’s computer system. The lawsuit stipulates that the Chicago area's largest physician group violated privacy regulations by failing to use encryption and other security practices to protect patient files.
The law suit comes on top of an investigation led by federal and state authorities on the group after precious information on the medical records/files of millions of patients were unlawfully obtained when four computers from the group’s Park Ridge offices.
Personal information such as names, addresses, dates of birth and Social Security numbers of more than 4 million patients was compromised in the July theft of four computers; making it the second-largest loss of unsecured health information reported to the Department of Health and Human Services since the agency made notification obligatory in 2009.
Albeit the computers themselves were password protected, the actual patient information and records were not encrypted. While detailed medical records were not on the computers, medical data for some patients are also at risk, such as diagnoses, medical record numbers, medical service codes, and health insurance informatio. 
"Nothing leads us to believe the computers were taken for the information they contain, and there is no information to suggest any of that data has been used in an inappropriate way,” said senior vice president and chief marketing officer for the nonprofit group, Kelly Jo Golson.
Based on a Ponemon Institute report, states that while most healthcare facilities understand the hazards associated with potential system breaches including violating the Health Insurance Portability and Accountability Act, still many fail to initiate the appropriate plans to effectively prevent one.
“Many times organizations don't fully grasp the need to do so until a breach occurs. And in the Ponemon survey, even among organizations that had been breached, 39 percent still had not put a data risk plan in place. It put healthcare organizations' cost of responding to breaches at $6.78 billion annually,” read the report.
In a statement, Advocate Medical Group highly contested the filing of the lawsuit, but said “we deeply regret any inconvenience” the breach had caused.
“We want to reassure our patients that we do not believe the data was targeted and we have no information that leads us to believe that the information has been misused. Thus, we feel confident the facts will demonstrate that the lawsuit is without merit,” the statement read.
