Two Data Breaches at Lake County Health Department Impact 25,000 Patients

by | Jul 20, 2021

In Illinois Lake County Health Department has revealed that it has been impacted by two separate data breaches that could have impacted the protected health information (PHI) of approximately 25,000 patients.

The initial breach took place, when a Lake County Health staff member broadcasted an unencrypted email from their staff email account to the personal account of a co-worker during 2019. Included in the email had been a spreadsheet that listed the medical record requests made during the time period from December 2016 to June 2019. An external company has processed the requests that were related to Lake County Health Department release of information requests. The spreadsheet listed the identity of 24,241 patients along with details of appointments with the vendor.

The breach was first spotted by Lake County Health on July 22, 2019; however, it was not until July 2021 that notification letters were issued to patients who may have been impacted. Lake County Health officials stated that this delay was permitted to take place as they were of the opinion that they were not required as no personal health information had been affected during the breach.

Despite this, the Department of Health and Human Services stated that they were not in agreement with this assertion. It confirmed that notification letters should have been to be issued as PHI may have been infiltrated as part of the potential HIPAA breach.

On May 14, 2021 another data breach was identified when a Google spreadsheet was discovered which listed the names, birth dates, emails contact details, phone contact details, and the COVID-19 vaccination status of 705 Lake County Health clients. This list has been held in a staff member’s personal Google Drive. While it is true that Google Drive can be used in a HIPAA-compliant  fashion, along with other G Suite services, personal accounts cannot be used in a HIPAA-compliant manner. This is due to the fact that Google will be able to access any data that is located in personal Google accounts. This access is possible as Google creates targeted services and adverts based on the data that has been saved. In case the spreadsheet contained lists of seniors that had made contact in relation to queries related to COVID-19 vaccinations. Lake County Health has now informed all impacted individuals of this potential breach of their PHI.

In both of these incidents patient data was exposed. Responding to this, Lake County Health stated that internal risk assessments had been completed and there was no proof found to suggest that impacted data had been accessed/stolen by unauthorized individuals or improperly used.

Since the breach was discovered, Lake County Health Department has configured additional security solutions and administrative processes to ensure that breaches like this are prevented going forward. Some of the new features include email encryption and additional monitoring measures.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy