Federal regulators and the Illinois attorney general's office confirmed this
week that they will investigate Advocate Medical Group's data breach, the
second-largest loss of unsecured protected health information reported to the
Department of Health and Human Services since it implemented a mandatory
notification rule in September 2009.
The breach, which the health care nonprofit revealed late last week, affects more than 4 million patients seen by Advocate Medical Group physicians, either in a medical office or a hospital, from the early 1990s through July.
Patients began receiving notification letters last weekend informing them of the July 15 theft of four unencrypted desktop computers from a Park Ridge, Ill., administrative office.
Downers Grove, Ill.-based Advocate said the data includes names, addresses, dates of birth and Social Security numbers. While full patient medical records were not on the computers, medical data for some patients also is at risk, including diagnoses, medical record numbers, medical service codes and health insurance information.
While the computers were password-protected, they were not encrypted, which would render information unreadable to everyone except authorized users.
Rachel Seeger, a spokeswoman for the Health and Human Services Department, said the agency "takes these investigations very seriously, and since 2009 we have had a track record of taking a number of very high-profile actions that have sent clear messages to the industry that we expect full compliance with (data) privacy and security rules."
The agency, which investigates every data breach that involves more than 500 people, has collected more than $18.4 million in fines in 16 major cases. Fines are most often levied to health care providers and other entities that handle patient data in cases where "protected health information" is exposed.
In the Advocate case, several categories of data reported as at risk appear to qualify as protected health data under federal law, including medical record numbers, health insurance information, Social Security numbers and other information that could be used for fraudulent purposes.
Seeger declined to address the Advocate breach in detail, citing an "active law enforcement investigation."
Maura Possley, a spokeswoman for the Illinois attorney general's office, said Wednesday that investigators began working the case after Advocate notified the state of the breach on Aug. 22. She declined to provide further details of the investigation.
Kelly Jo Golson, an Advocate senior vice president, acknowledged Wednesday that some of the data at risk qualifies as protected health information under the law. She also said the sensitive data should not have been stored on the computers' hard drives. "This type of data should always be maintained on our secure network," she said.
Advocate is working with several outside experts and consultants to address the issue. Its efforts include mapping all of its computer and software systems to identify where patient information is stored and ensure it is secured, Golson said.
"We understand why patients are anxious and concerned," she said. "We deeply regret the inconvenience this incident has caused the patients who have entrusted us with their care."
The computers have not been recovered, and Park Ridge police continue to
Most Popular Stories
- 2014 World Cup Official Noisemakers Quieter than Vuvuzelas
- Networks Vie for U.S. Hispanic TV Viewers
- Ad Counts Rise in 2013 for Hispanic Magazines
- Top Websites for U.S. Hispanics
- Saab Gets Back into the Game; U.S. Auto Sales Soar
- Dell Offers Undisclosed Number of Employee Buyouts
- Authorities Close to Deal with JPMorgan Chase over Madoff Response
- Apple Activates Customer-Tracking iBeacon
- 2013 Tech Gift Guide: iPad Mini Still Hot; Chromecast a Great Low-Cost Option
- A Biography of Jonathan Ive, Apple's Creative Chief