Behemoth breach sounds alarm for 4M

Advocate Health reports second biggest HIPAA breach ever

In the second biggest HIPAA breach ever reported, one of the nation's largest healthcare systems is notifying more than four million patients that their protected health information and Social Security numbers have been compromised after the theft of four unencrypted company computers.

Advocate Health System announced that the theft occurred at one of its Advocate Medical Group administrative buildings in Park Ridge, Ill. on July 15. Patient names, addresses, dates of birth, Social Security numbers and clinical information – including physician, medical diagnoses, medical record numbers and health insurance data — were all contained on the computers, officials say. 

[See also: At $1.2M, photocopy breach proves costly.]

Health system officials have contacted local law enforcement to investigate the incident but have been unable to locate the computers.

"We deeply regret that this incident has occurred," wrote Kevin McCune, MD, chief medical officer of Advocate Medical Group, in an Aug. 23 letter mailed to affected patients. "In order to prevent such an incident from reoccurring, we have enhanced our security measures and are conducting a thorough review of our policies and procedures." 

These enhanced security measures include adding a 24/7 physical security presence at the location that was burglarized, according to a company notice. 

[See also: Texas HIPAA blunder affects 277K.]

This is the second big HIPAA breach for Advocate Health System. In 2009, company officials notified 812 patients that their protected health information had been compromised following the theft of an employee's unencrypted laptop.

This breach stands as the second biggest HIPAA breach ever reported, according to HHS data – just behind the TRICARE Management Activity breach which impacted more than 4.9 million patients back in 2011.