Ill. provider cleared in class-action lawsuit from breach

Advocate Medical Group has been cleared of wrongdoing in a class action lawsuit alleging the organization failed to protect patient data following a massive HIPAA data breach.

The decision was filed August 6 by the Appellate Court of Illinois Second District and affirmed two previous court dismissals of the complaints. The Chicago-based Advocate faced the lawsuit filed by former patients alleging that they faced "an increased risk of identity theft and/or identity fraud" after four unencrypted AHC laptops containing patient data were stolen from one of its medical facilities in July 2013.

The stolen laptops contained the Social Security numbers and protected health information, including medical diagnoses, of 4,029,530 patients, making it the sixth largest HIPAA breach ever reported, according to data from the Department of Health and Human Services.

"We reject plaintiffs' arguments and note again that their allegations are merely speculative," Illinois Appellate Judge Ann B. Jorgensen ruled. "The fact that two plaintiffs to date (out of those four million) have received notification of fraudulent activity, i.e., have suffered actual injury arising from Advocate's alleged wrongful acts, does not show that plaintiffs here face imminent, certainly impending, or a substantial risk of harm as a result of the burglary, where no such activity has occurred with respect to their personal data."

The appellate panel affirmed two previous court dismissals of the case, both of which argued that there was no "present harm" or that "the harm that Plaintiffs fear is contingent on a chain of attenuated hypothetical events and actions by third parties."