HIPAA breach is bad news for 729,000

Health system now to 'expedite' encryption

Despite the revamped federal HIPAA Omnibus Rule which holds covered entities and business associates more accountable for failing to adequately protect patients' health information, some groups continue to make the same old avoidable mistakes. 

AHMC Healthcare, a six-hospital health system in Alhambra, Calif., is one of the newest entities rethinking its encryption and privacy policies. In one of the biggest HIPAA privacy breaches ever reported, the health system notified 729,000 patients that their protected health information has been compromised following the theft of two unencrypted laptops by a transient. 

[See also: Ready or not: HIPAA gets tougher today.]

The laptops contained data on patients seen at all six of AHMC Healthcare's hospitals. Officials say the office where the laptops were stolen was video monitored, and the campus was gated and "patrolled by security." However, the transient was able to walk out with the laptops with no issues Oct. 12. 

Patient names, Medicare data, medical diagnoses and insurance and payment information were all contained on the two laptops. 

As a result of the breach, AHMC Healthcare will be "expediting a policy of encrypting all laptops," according to a Oct. 21 notification letter mailed to patients. "We regret any inconvenience or concern this incident may cause our patients," the letter read. 

The AHMC Healthcare breach is the 11th biggest HIPAA data breach to date, according to data from the Department of Health and Human Services. 

Just in August, Illinois-based Advocate Health Care reported the second biggest HIPAA data breach in the nation after four unencrypted laptops were stolen from its facility, compromising the protected health information and Social Security numbers of more than 4 million people. The health system was subsequently slapped with a class action lawsuit filed by affected patients. 

Leon Rodriguez, director of the Office for Civil Rights -- the agency responsible for investigating HIPAA violations -- has promised an increase in investigations and monetary penalties for groups that have failed to take patient privacy seriously. OCR has already collected some $16 million from 16 organizations who grossly violated HIPAA. 

“I think all these cases really powerfully articulate those expectations and the fact that we will be holding people accountable," he said in an September interview with Healthcare IT News.