A group of patients have filed a class-action lawsuit against Advocate Medical Group in Park Ridge, Ill., following a July theft of computers containing information on four million individuals, according to a Chicago Tribune report. The Advocate Medical Group breach affects patients seen by its physicians from the early 1990s through the time of the theft.

It is the second biggest HIPAA breach ever reported, according to an iHealthBeat report citing HHS data. The computers, which contained patient names, addresses, dates of birth and Social Security numbers, were password-protected but not encrypted.

The lawsuit comes just a little less than three weeks before the HIPAA omnibus rule takes effect on September 23. The rule marks the most significant changes to the HIPAA Privacy and Security Rules since they were first implemented. These revisions include changes to "breach" and "business associate" definitions; changes to breach notification and risk analysis requirements; and additional limits on marketing communications. In addition, HIPAA audits are expected to occur more frequently and fines for violations will likely be substantially higher than in the past.