Emory Healthcare at risk for $200 million plus loss

"I would participate in it not just for monetary reasons but to make people more careful," she said. "Sometimes you have to hit people in the pocketbook to make that happen."

Emory announced in April that it had lost 10 discs that contained personal data such as Social Security numbers for about 315,000 patients. This week two Alabama law firms filed suit in Fulton County Superior Court seeking class-action status for affected Georgians.

Attorney Keith Jackson, who filed the suit, said Thursday that the case is tailor-made for a class-action suit because the cost of litigation would make it too expensive for a single patient to sue. Any monetary reward given in an individual case would probably be too small to cover the costs, he said. A judge will decide whether to grant class-action status.

The suit seeks $1,000 for each Georgian affected -- which the suit estimates to be at least 200,000 patients -- as well as other damages to be determined later. The suit also wants Emory to pay for identity-theft and credit insurance for each class member for at least three years.

The $200 million the suit seeks would represent more than 10 percent of Emory Healthcare's $1.9 billion in revenue for fiscal 2011.

Emory officials were mum Thursday about the steps they've taken to better protect patient data. In April, John T. Fox, the president and CEO of Emory Healthcare, said the hospital system was clarifying policies and procedures as well as inventorying all storage spots to ensure patient information is secure. The missing information was not encrypted because it was associated with an outdated computer system. Encryption would have made viewing the data more difficult, Fox said.

John Sileo, an expert on identity theft, called encryption "the difference between locking your house and leaving it wide open." But health care organizations often wait until they have been breached to employ encryption, he said.

"The average business, health care or otherwise, doesn't move until it gets hit," Sileo said.

Emory says on its website that the lost information involves surgical patients treated at Emory University Hospital, Emory University Hospital Midtown and the Emory Clinic Ambulatory Surgery Center between September 1990 and April 2007. It says affected patients "will be provided access to identity protection services, including credit monitoring" by a company that specializes in identity security.

Jackson, however, said Emory is actually only paying for the monitoring, not for insurance to reimburse identity-theft victims.

The website says Social Security numbers appear on about 228,000 of the lost records. About 87,000 records do not include a Social Security number, which along with a date of birth is the key piece of information someone needs to take out loans and credit cards in another person's name. It can take a victim months, and sometimes years, to clear up credit problems.

Hammett said she hasn't been victimized by identify thieves, but she said Emory's failure to protect her information has caused her months of anxiety.

"It still scares me to death," she said.

Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.

Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.