Advocate Health Care, one of the nation’s biggest healthcare suppliers, has announced that it has experienced a major HIPAA security breach after four unencrypted laptops were illegally taken from the Advocate Medical Group administrative buildings in Park Ridge, Illinois on July 15.
The laptops stored the records of over 4 million people, making this the second largest data security breach ever seen. This HIPAA breach has affected almost as many patients as the TRICARE Management Activity breach which released the data of 4.9 million people in 2011.
The database on the laptops included personal identifiable information along with clinical information on patient illnesses, Social Security numbers, dates of birth, medical record numbers, treating doctors, health insurance details and patient names and addresses.
The theft has been made known to law enforcement; however the laptops and data have not yet been found. The Office for Civil Rights of the Department of Health and Human Services has been notified of the security breach and officials have confirmed that an investigation will take place.
Adhering the HIPAA Security Rule, Advocate Health started issuing notifications of the breach to all affected individuals on August 23. The notifications included an apology for the breach and advised those affected to take measures to mitigate any damage and losses incurred. Advocate Health also stated that it will be putting in place a host of new security measures to prevent further breaches from occurring. Those measures include adding a 24 hour security presence at the building where the laptop theft happened.
The security breach has lead to a class action lawsuit being filed by two victims of the security breach who are representing all people affected. The plaintiffs claim that Advocate Health Care failed to put in place adequate security measures to protect patient health information and had “little or no security to stop unauthorized access.” The laptops were taken from an unproctected room according to the lawsuit.
The lawsuit refers to an Identity Fraud Report by Javelin that discovered the exposure of PHI from security violations raised the likelihood of identity theft by ten percent. The claim also says that Advocate Heath Care violated the Fair Credit Reporting Act when it failed to put in place appropriate safeguards to protect patient data.
Advocate Health Care be hit with a fine of $1.5 million if the OCR finds evidence of HIPAA non compliance and if the lawsuit is successful the total settlements are likely to be in the order of several million dollars; considerably larger than the cost of encrypting data on all portable devices and improving security. A laptop was stolen from Advocate Health Care in 2009 leading to the exposure of 812 patient records and had the company taken this as a warning and put in place the appropriate security measures, this massive data breach could have been prevented.