In the second biggest HIPAA privacy breach ever reported, one of the nation's largest healthcare systems is notifying more than four million patients that their protected health information and Social Security numbers have been compromised after the theft of four unencrypted company computers.
Advocate Health System announced that the theft occurred at one of its Advocate Medical Group administrative buildings in Park Ridge, Ill. on July 15. Patient names, addresses, dates of birth, Social Security numbers and clinical information - including physician, medical diagnoses, medical record numbers and health insurance data - were all contained on the computers, officials say.
"We deeply regret that this incident has occurred," wrote Kevin McCune, MD, chief medical officer of Advocate Medical Group, in an Aug. 23 letter mailed to affected patients. "In order to prevent such an incident from reoccurring, we have enhanced our security measures and are conducting a thorough review of our policies and procedures."
These enhanced security measures include adding a 24/7 physical security presence at the location that was burglarized, according to a company notice.
These security measures should have been taken before the breach, however, argue patients who have filed a class action lawsuit against Advocate who "flagrantly disregarded" the privacy rights of 4.03 million people. The information contained on the laptops "was improperly handled and stored, was unencrypted, and not kept in accordance with applicable and appropriate cyber-security protocols, policies," according to the lawsuit.
The plaintiffs, Erica Tierney and Andris Strautins, who also represent the patients affected by the breach, allege that the unencrypted laptops were stolen from an "unmonitored room" with "little or no security to prevent unauthorized access."
They cite a recent Javelin Identity Fraud Report finding that individuals who have their PHI or protected insurance information compromised in a breach are almost 10 times more likely than the general public to experience identity theft or fraud.
This is the second big HIPAA breach for Advocate Health System. In 2009, company officials notified 812 patients that their protected health information had been compromised following the theft of an employee's unencrypted laptop.
This breach stands as the second biggest HIPAA breach ever reported, according to HHS data - just behind the TRICARE Management Activity breach, which impacted more than 4.9 million patients back in 2011.
Both the Office for Civil Rights and the Illinois attorney general's office have said they will investigate the breach further.
OCR Director Leon Rodriguez told Healthcare IT News in August that with the HIPAA Omnibus Final Rule, there's been an increase in fines and enforcements lately for organizations that blatantly disregarded patients' protected health information. "I think it's important because it very powerfully articulates what are our expectations are for covered entities, what risk analysis steps, what training steps, what disciplinary steps, what safeguard steps we expect of them," he said.