4M Patient Records Exposed in Massive HIPAA Data Breach

by | Aug 28, 2013

Advocate Health Care, one of the nation’s biggest healthcare suppliers, has announced that it has experienced a major HIPAA security breach after four unencrypted laptops were illegally taken from the Advocate Medical Group administrative buildings in Park Ridge, Illinois on July 15.

The laptops stored the records of over 4 million people, making this the second largest data security breach ever seen. This HIPAA breach has affected almost as many patients as the TRICARE Management Activity breach which released the data of 4.9 million people in 2011.

The database on the laptops included personal identifiable information along with clinical information on patient illnesses, Social Security numbers, dates of birth, medical record numbers, treating doctors, health insurance details and patient names and addresses.

The theft has been made known to law enforcement; however the laptops and data have not yet been found. The Office for Civil Rights of the Department of Health and Human Services has been notified of the security breach and officials have confirmed that an investigation will take place.

Adhering the HIPAA Security Rule, Advocate Health started issuing notifications of the breach to all affected individuals on August 23. The notifications included an apology for the breach and advised those affected to take measures to mitigate any damage and losses incurred. Advocate Health also stated that it will be putting in place a host of new security measures to prevent further breaches from occurring. Those measures include adding a 24 hour security presence at the building where the laptop theft happened.

The security breach has lead to a class action lawsuit being filed by two victims of the security breach who are representing all people affected. The plaintiffs claim that Advocate Health Care failed to put in place adequate security measures to protect patient health information and had “little or no security to stop unauthorized access.” The laptops were taken from an unproctected room according to the lawsuit.

The lawsuit refers to an Identity Fraud Report by Javelin that discovered the exposure of PHI from security violations raised the likelihood of identity theft by ten percent. The claim also says that Advocate Heath Care violated the Fair Credit Reporting Act when it failed to put in place appropriate safeguards to protect patient data.

Advocate Health Care be hit with a fine of $1.5 million if the OCR finds evidence of HIPAA non compliance and if the lawsuit is successful the total settlements are likely to be in the order of several million dollars; considerably larger than the cost of encrypting data on all portable devices and improving security. A laptop was stolen from Advocate Health Care in 2009 leading to the exposure of 812 patient records and had the company taken this as a warning and put in place the appropriate security measures, this massive data breach could have been prevented.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy