Advocate Medical Group of Chicago is in the process of alerting more than 4 million patients of a July 15 data breach in which four unencrypted computers were stolen from a Park Ridge administrative building. This substantial breach is the second-largest HIPAA violation ever reported to the Department of Health and Human Services (HHS).
Though no health data was compromised, patient names, addresses, Social Security numbers and dates of birth were exposed, according to the Chicago Tribune. Affected patients include those who received treatment as far back as the 1990s. Advocate Medical Group is the largest Chicago physician group, with more than 1,000 doctors and 200 locations, mostly in Chicagoland and central Illinois.
The administrative building had a security camera and panic button, but didn’t have an alarm or security personnel and the computers have yet to be recovered. Advocate said it plans on reassessing its security approaches going forward.
Kelly Jo Golson, senior vice president and chief marketing officer at Advocate Health Care, said it took the organization a month to determine the depth of the breach.
“There was a large volume of data on the computers, and the format of the data was very complex,” Golson said. “We were very comprehensive and thorough in our analysis of the data to ensure we were notifying every patient who may be affected.”
Advocate started notifying patients of the breach on Friday and will continue doing so until Sept. 9 while offering a free year of credit monitoring services to affected patients. “Nothing leads us to believe the computers were taken for the information they contain, and there is no information to suggest any of that data has been used in an inappropriate way,” Golson said. “We want our patients to know that security is a top priority, and we’re focused right now on putting together resources to make sure we can help answer any questions.”
The problem here, as is the case on most incidents, is the lack of encryption and reliance on password protection as means of securing patient data. Whether they’re responsible for 4 million patients’ data or just a handful, organizations need to start taking encryption seriously.