Huge HIPAA Data Breach Reveals 4M Patient Files

One of the nation’s leading healthcare providers, Advocate Health Care, has declared that it has suffered a main HIPAA security violation after 4 unencrypted laptops were thieved from the Advocate Medical Group administrative buildings in Illinois on July 15.

The laptops had the records of more than 4 million people, making this the 2nd biggest data security infringement ever documented. This HIPAA infringement has affected nearly as many patients as the TRICARE Management Activity infringement which revealed the data of 4.9 million people in 2011.

The database on the laptops contained personal identifiable information along with clinical data on patient diseases, dates of birth, Social Security numbers, health insurance details, medical record numbers, and patient names and addresses.

The thievery has been informed to law enforcement; nevertheless, the laptops, as well as data, haven’t yet been recovered. The Office for Civil Rights of the Division of Health and Human Services has been alerted to the security infringement and officers have confirmed that an inquiry will be carried out.

As per the HIPAA Security Law, Advocate Health began mailing notices of the infringement to all affected people on August 23. The notices had an apology for the breach and advised those affected to take measures to mitigate any damage and losses infringement. Advocate Health also said that it will be applying a host of fresh security measures to avoid further breaches from taking place. Those measures contain adding a round the clock security attendance at the building where the laptop thievery happened.

The security infringement has led to in a class action litigation being filed by 2 victims of the security infringement who are representing all people affected. The plaintiffs allege that Advocate Health Care did not apply sufficient security measures to safeguard patient health info and had “little or no safety to avoid unlawful access.” The laptops were thieved from an unmonitored room as per the litigation.

The litigation references an Identity Scam Report by Javelin that found the revelation of PHI from security infringements raised the probability of identity thievery by 10 percent. The claim also asserts that Advocate Heath Care infringed the Fair Credit Reporting Act when it did not implement suitable safeguards to protect patient data.

Advocate Health Care might face a fine of as much as $1.5 million if the OCR finds proof of HIPAA non-compliance and if the litigation is successful the total settlements are expected to be several million dollars; significantly more than the expense of encrypting data on all moveable devices and improving safety. A laptop was thieved from Advocate Health Care during 2009 causing the revelation of 812 patient files and had the business taken this as a notice and applied the correct security measures, this huge data infringement might have been prevented.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.