A class action lawsuit claims an Elgin clinic released confidential information of its patients – including their HIV or AIDS status – over file sharing computer networks.
The complaint, filed Thursday against The Open Door Clinic of Greater Elgin, names four people as "John Doe," including one man from St. Charles, and a fifth "Jane Doe," on behalf of "all those similarly situated." The class action lawsuit goes on to state the class consists of at least 260 people, who are suing on the basis of negligence, invasion of privacy and breech of confidentiality.
The lawsuit, filed by attorney Terry Heady of Aurora, claims that the clinic "negligently, wrongfully and improperly leaked, disseminated and disclosed its patients personally identifiable information, including, but not limited to their HIV/AIDS status" by way of "peer-to-peer file sharing networks where the information was made readily available, accessible and retrievable to the public at large."
Information was leaked beginning in late May 2008 – possibly earlier – until at least July 2009, according to the complaint. Clinic officials have been aware of the leak since the summer of 2008, but did not notify patients, according to the complaint.
The complaint further alleges that the information also led to identity theft and fraud of "Jane Doe," who lives in Schaumburg. The other "John Doe" patients live in Aurora, Elgin and Naperville.
No one returned phone calls placed on Friday to the clinic, which is a nonprofit organization that provides lab testing, patient care, information and other services to HIV and AIDS patients.
According to the lawsuit, the clinic stores patient information, including social security numbers, addresses, telephone numbers, insurance information and medical history on a file-sharing network.
That network is accessible to employees' personal laptops and home computers, the complaint states.
A spreadsheet with information of about 260 of its patients was leaked "as a result of the installation and use of file sharing software on … computers containing patients' personally identifiable information" despite the clinics' duty to keep the information confidential, the lawsuit states.
The clinic was negligent in allowing employees to access the information on personal computers and on an insecure database, the lawsuit states. Further, the complaint states, among other claims, that employees should have been trained, and computers should have been monitored to avoid the leak.
That "master list" was searched, accessed, downloaded and re-shared by other users in the network, including one in Apache Junction, Ariz., who is "an identity thief," the complaint states.
"The [patients] believed and expected that the clinic would maintain their medical information confidential," the lawsuit states. "In many respects, HIV and AIDS are misunderstood by the general public. People afflicted with the disease are stigmatized, subjected to scorn, ostracized by members of the public, including their own family.
"They face discrimination in the workplace, educational settings and in society. As a result of the clinic's ongoing data leakage, the medical condition and HIV/AIDS status of the [patients] … have been and are now known and available to the public at large."
The lawsuit seeks an unspecified amount in damages that is at least $50,000, plus court costs. Associate Judge Robert Spence will preside over the matter in court May 13.
