Two unencrypted laptop computers were stolen on Dec. 11 from an AvMed facility in Gainesville, Fla. AvMed initially believed information on about 208,000 members was at risk, but that number rose to 1.22 million by June 2010. Protected information on the laptops included a mixture of name, address, date of birth, Social Security number, phone number, and diagnosis, procedure and prescription information.
"Merely taking the time to encrypt their laptops likely would have obviated any harm done by this theft," says William Gray, an attorney at Edelson McGuire, in a statement. "It is mind-boggling that such simple procedures were not done to protect AvMed's customers, who placed their trust in their insurance company to protect their highly personal information."
Miami-based AvMed has previously said it has no evidence that any information on the laptops has been misused.
The AvMed incident is one of nearly 200 breaches affecting at least 500 individuals listed since September 2009 on a Web site of the Department of Health and Human Services' Office for Civil Rights. The office has enforcement jurisdiction over the HIPAA breach notification law promulgated under the HITECH Act.
For a copy of the lawsuit filed against AvMed in the Circuit Court of the Eleventh Judicial Circuit in Miami-Dade County, send an e-mail to firstname.lastname@example.org.