Potential class action targets Emory Healthcare over patient data breach
4:30 pm, June 7th, 2012
Emory Healthcare is the target of a potential class action suit seeking unspecified damages over the loss of 10 computer disks containing the personal and health information of hundreds of thousands of patients treated between 1999 and 2007.
The suit seeks money damages and financial record monitoring for a class it estimates as including as many 250,000 of the estimated 315,000 former patients affected by the data breach.
In April, Emory Healthcare President David Fox announced that 10 “backup” disks containing the information for every patient who had undergone surgery at Emory University Hospital, Emory Midtown and at the Emory Clinic Ambulatory Surgery Center had gone missing. In addition to patient information, he said at the time, about 228,000 patients’ Social Security numbers were also included in the data.
The suit was filed Monday on behalf of putative class representative Peter Bombardieri by Birmingham, Ala., attorneys Keith Jackson of Riley & Jackson and Rodney Miller of McCallum, Methvin & Terrell.
According to the complaint, Emory was negligent in storing and safeguarding such sensitive information on disks that were not encrypted. It says Emory waited 60 days after its discovery of the breach before notifying the public – the statutory limit of time by which a health-care provider must notify anyone whose personal information has been released.
It alleges invasion of privacy, negligence, and breach of implied contract, and asks the court to certify a class of every Georgia resident whose records were breached, estimated at between 200,000 and 250,000.
The suit seeks $1,000 in nominal damages and unspecified “exemplary” damages for each class member, plus individual damages for expenses incurred by former patients related to monitoring or changing their financial records and credit reports. It also asks that Emory be ordered to provide at three years’ worth credit monitoring and/or credit insurance for each class member, and that court issue an injunction ordering Emory to upgrade its security procedures relating to “digitally or electronically stored personal
The suit notes that Emory Healthcare reported the records of about 80 patients stolen in 20011, and was “thus aware that its existing policies and procedures for safeguarding the security and privacy of its
patients’ confidential information were deficient and ineffective.”
Jackson, who is licensed to practice in Georgia, said he
knew from first-hand experience that Emory healthcare had problems securing
“I’m actually a graduate of Emory Law School, and my wife got
one these letters [Emory healthcare] sent out about the breach,” he said. “I
knew it had happened before, and I also knew about another case. Three times
this has occurred that I know of, and I decided somebody needed to do something
Jackson said he is not aware of any further information
Emory has provided to patients regarding an investigation Fox said was launched
into the missing disks.
“They have not disclosed any other information, to our
knowledge, and what they did disclose was the very minimum on the very last
day,” he said.
Emory has not yet seen the suit and could not comment, said
spokesman Vincent Dollard.