HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Mammoth HIPAA Data Breach Exposes 4M Patient Records

Advocate Health Care, one of the nation’s largest healthcare providers, has announced that it has suffered a major HIPAA security breach after four unencrypted laptops were stolen from the Advocate Medical Group administrative buildings in Park Ridge, Illinois on July 15.

The laptops contained the records of over 4 million individuals, making this the second largest data security breach ever recorded. This HIPAA breach has affected almost as many patients as the TRICARE Management Activity breach which exposed the data of 4.9 million individuals in 2011.

The database on the laptops included personal identifiable information together with clinical data on patient illnesses, Social Security numbers, dates of birth, medical record numbers, treating doctors, health insurance details and patient names and addresses.

The theft has been reported to law enforcement; however the laptops and data have not yet been recovered. The Office for Civil Rights of the Department of Health and Human Services has been notified of the security breach and officials have confirmed that an investigation will be conducted.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

In accordance with the HIPAA Security Rule, Advocate Health started mailing notifications of the breach to all affected individuals on August 23. The notifications contained an apology for the breach and advised those affected to take measures to mitigate any damage and losses caused. Advocate Health also stated that it will be implementing a host of new security measures to prevent further breaches from occurring. Those measures include adding a round the clock security presence at the building where the laptop theft occurred.

The security breach has resulted in a class action lawsuit being filed by two victims of the security breach who are representing all individuals affected. The plaintiffs allege that Advocate Health Care failed to implement adequate security measures to protect patient health information and had “little or no security to prevent unauthorized access.” The laptops were stolen from an unmonitored room according to the lawsuit.

The lawsuit references an Identity Fraud Report by Javelin that found the exposure of PHI from security breaches raised the likelihood of identity theft by ten percent. The claim also alleges that Advocate Heath Care breached the Fair Credit Reporting Act when it failed to implement appropriate safeguards to protect patient data.

Advocate Health Care could face a fine of up to $1.5 million if the OCR discovers evidence of HIPAA non compliance and if the lawsuit is successful the total settlements are likely to be in the order of several million dollars; considerably more than the cost of encrypting data on all portable devices and improving security. A laptop was stolen from Advocate Health Care in 2009 resulting in the exposure of 812 patient records and had the company taken this as a warning and applied the appropriate security measures, this massive data breach could have been avoided.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.