Case Against Advocate Health Dismissed

by | Aug 7, 2014

An Illinois a class action lawsuit that arose from the Massive HIPAA breach affecting the healthcare provider last August has been thrown out by circuit court in Kane County.

The incident possibly exposed the data of almost 4 million patients when four unencrypted computers were stolen from its Park Ridge offices.

The class action lawsuit was taken by two plaintiffs who claimed Advocate Health acted with negligence by failing to put in place the appropriate safeguards to protect their data. The lawsuit also alleges Advocate Health violated both the Illinois Personal Information Protection Act and the Illinois Consumer Fraud Act in addition to the incident causing an invasion of privacy.

The court found in favor of Advocate Health & Hospitals because the case lacked standing or basis. While there was no doubt that the PHI of the patients had been potentially exposed, the plaintiffs were unable to provide adequate proof to confirm that the data had actually been viewed by an unauthorized person. Without this proof it was not possible to establish whether any harm had actually been inflicted.

If there is no injury or damage there can be no claim, and while the court did find that the probability of identity theft happening had increased, there was not no certainty that the data would be accessed or used inappropriately. In order for a case to be ruled in favor of the plaintiffs the thieves would have to have sold or used the data for personal profit, and some proof that would need to be provided.

Furthermore, claims of injury had been made but again insufficient evidence was provided to support claims for negligence or fraud under the Illinois Consumer Fraud Act. The claim that there had been an invasion of privacy was also thrown out due to there being “insufficient allegations of intentional conduct.”

Although class action lawsuits can be taken for personal injuries and damage caused due to a HIPAA security breach they can be difficult for plaintiffs to win. There is no private cause of action under HIPAA so in order for a case to be won it must be established and proven that the actions of a HIPAA-covered entity actually breached state law theories.

It is unlikely that any case will be successful if proof of harm or injury cannot be supplied, and while evidence of data exposure may exist, without that data being used, sold on or otherwise causing demonstrable harm, plaintiffs are unlikely to be awarded damages. This does not let healthcare companies off the hook, as the Department of Health and Human Services reviews reported breaches and can apply heavy financial fines to institutions that fail to adhere to HIPAA regulations, regardless of whether data has been seen, accessed or used by unauthorized people.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy