A recent court filing has revealed a significant data breach involving a major healthcare provider, putting the sensitive personal and health information of nearly 183,000 patients at risk. The complaint was filed by Alexandra Phelps in the United States District Court for the Northern District of Illinois on September 17, 2024, against the Illinois Bone and Joint Institute (IBJI).
According to the class action complaint, IBJI failed to protect its patients' personally identifiable information (PII) and protected health information (PHI) from known cyber threats. This data included names, addresses, dates of birth, Social Security numbers, driver's license numbers, medical treatment or diagnosis information, and health insurance or claims information. The plaintiff alleges that IBJI did not comply with regulatory, ethical, and industry standards for cybersecurity and confidentiality of patient records. Specifically, IBJI is accused of failing to take basic security measures such as encrypting data and destroying obsolete data.
The breach reportedly began on May 30, 2024, when criminal hackers gained access to IBJI’s computer network. They remained undetected until July 4, 2024. Despite discovering the breach on July 4th, IBJI delayed notifying affected individuals until August 30th—57 days later—allowing criminals ample time to misuse the stolen data. Phelps received a notification letter from IBJI on August 30th stating that her personal information had been compromised.
As a result of this breach, Phelps claims she has suffered numerous actual injuries including invasion of privacy and financial costs incurred while mitigating the risk of identity theft. She also cites loss of time due to following IBJI's instructions in their notice letter and dealing with actual identity theft issues. The lawsuit accuses IBJI of negligence per se for violating HIPAA regulations and Federal Trade Commission guidelines by failing to ensure the confidentiality and integrity of electronic PHI.
Phelps seeks damages for herself and other affected patients as well as injunctive relief to prevent future breaches. She is also asking for declaratory relief that acknowledges IBJI's failure to protect patient data adequately.
The case ID is 1:24-cv-08555.