Emory Healthcare Faces Major Breach Lawsuit

Emory Healthcare Faces Major Breach Lawsuit

This lawsuit is an example of what can happen with the unsecured ePHI at your practice. Your practice may not be as large as Emory Healthcare, but a breach of your practice can have a major impact on your business.

Emory Healthcare in Atlanta faces a class-action lawsuit seeking more than $200 million in damages following a breach involving 10 missing unencrypted backup disks.

The lawsuit was filed on behalf of the residents of Georgia who may have been affected by the breach, which likely number 200,000 or more, it states. It seeks $1,000 in damages for each resident affected, plus other damages to be determined.

The lawsuit alleges that Emory took inadequate steps to protect the information on the disks, leading to an invasion of privacy. It also alleges negligence. Taking such steps as encrypting the disks and training and supervising staff responsible for securing data "are affordable and easily achievable safeguards for preventing what happened," said attorney Keith Jackson. His firm, Riley & Jackson, is one of two involved in filing the lawsuit.

Emory Healthcare did not reply to a request for comment on the lawsuit.

Emory notes that it has no evidence that any personal information has been misused as a result of the breach, and an investigation continues. It also notes Emory is offering 315,000 surgical patients who were potentially affected free credit monitoring services.

The information on the unencrypted disks, missing from a storage area at Emory University Hospital, includes Social Security numbers for 228,000 patients, according to the blog. Other information on the disks includes patient names; dates of surgery; diagnoses; procedure codes or names of surgical procedures; device implant information; surgeons' names and anesthesiologists' names.

Patients affected were treated at Emory University Hospital, Emory University Hospital Midtown, or the Emory Clinic Ambulatory Surgery Center between September 1990 and April 2007.

An investigation determined the disks were "removed" between Feb. 7 and Feb. 20. They contained data files from an obsolete software system that was deactivated in 2007. This deactivated system was accessed very infrequently and only as requested by either patients or their physicians. The last time they were accessed was in 2010.

Emory Healthcare has launched an initiative to reinforce and clarify existing policies and procedures for safeguarding the security and privacy of sensitive information. Emory is conducting a comprehensive inventory of all physical spaces across the system to ensure data are properly secured.