(Article updated at 7:45 p.m. ET.)
One warm night in mid-July, more than 4 million patient records breezed out the door of the Advocate Medical Group administrative office in Park Ridge, Ill., in the arms of an unidentified thief who stole four computers from the largest medical group in Illinois. The 1,100-physician medical group is part of the 11-hospital Advocate Health Care
Because those records were kept on four stolen computers that were not protected by encryption, if a summary of that event gets posted to the “wall of shame” website kept by the Office for Civil Rights at HHS, which most likely it will, it will rank as the largest breach of federally protected records by a healthcare provider in U.S. history—at least in the history of the Office for Civil Rights' breach list, which the HHS agency has been required to publicly post since September 2009 under the American Recovery and Reinvestment Act.
Penalties in the form of settlement agreements for breaches of this magnitude in recent years have run to $1 million or more.
“It's a huge breach,” said Tom Walsh, principal of Tom Walsh Consulting, Overland Park, Kan. This is likely to be the second trip to the OCR wall for Advocate. The theft of a laptop back in November 2009 also made the list because it, too, was unencrypted. The stolen laptop had the medical records of 812 individuals on board.
In an Aug. 23 statement, Advocate announced the breach, adding that it had sent letters to the affected patients and had offered them one year of credit monitoring. Advocate also said it had “reinforced our security protocols and encryption program with associates.” An Advocate spokeswoman said an encryption program launched by the organization in 2009 had not reached the four computers in the Park Ridge office.
Susan McAndrew, deputy director for health information privacy at the Office for Civil Rights, confirmed the agency, which has privacy and security rule enforcement authority under the Health Insurance Portability and Accountability Act, had received a breach report from Advocate and has referred it to its regional office in Chicago for investigation.
Maura Possley, spokeswoman for Illinois Attorney General Lisa Madigan, said the attorney general's office is also investigating the Advocate breach incident for potential violations under HIPAA and the Illinois Consumer Fraud and Deceptive Business Practices Act.
The costs to Advocate of this latest breach are likely to be substantial.
“You can imagine the extent of the forensic analysis to uncover what was on those hard drives,” said Kelly Jo Golson, senior vice president and chief marketing officer for Advocate Health Care, based in Downers Grove, Ill. “To the best of our knowledge, this data goes back to the early 1990s.”
“We established the call center, we set up the website,” Golson said. Advocate also sent out more than 4 million letters to affected patients and even hired 24/7 security guard coverage at its Park Ridge administrative office and is reviewing the need for physical security throughout the organization.
Golson said Advocate hasn't tallied up the costs of the breach. “At some point, we'll look at the financial implications, but we're not there yet.”
So far, there has been no recovery of the computers or an arrest.
Golson said Advocate embarked on a program of encrypting its computers in 2009, the year the laptop went missing. The initial target was to encrypt “all new laptops and all old ones that were able to be encrypted.” Next, the hospital started on desktop computers, again, ensuring all new ones were encrypted and “we began a process to encrypt old ones.”
Golson said she didn't know the number of computers Advocate uses at its more than 250 care sites. “We do have 35,000 associates across the Advocate enterprise, so it's a large number.”
Golson said the data types in the stolen records varied. Some included Social Security numbers or medical record numbers, for example, while others did not. The data was used for primarily operational and administrative purposes” such as appointments scheduling, benefits verification, coordination of care and patient registration.
Those data elements, while limited, still would be sufficient for medical identity theft, said Pam Dixon, founder and executive director of the World Privacy Forum.
In two online public statements, Advocate said the breach involved “no patient medical records” and it “has no impact on patient care.”
“We are certainly not trying to state that this information couldn't be used inappropriately,” Golson said. “We just wanted to assure folks it wasn't the level of information that's include in a full medical record. We understand why our patients are concerned. We deeply regret this.”
According to Walsh, given the risk of storing data without encryption and the relatively low cost to encrypt—about $55 per computer—it's hard to accept the lack of encryption on purely the cost of installing encryption software. Data handlers are supposed to be in compliance with HIPAA's security
Only 64% of healthcare organizations—both hospitals and office based physician practices—use encryption when they transmit healthcare information, according to a survey conducted in 2012 by the Healthcare Information and Management Systems Society, said Lisa Gallagher, vice president, technology solutions for HIMSS
Advocates of encryption say there is a people problem in convincing physician groups to use encryption. “Their eyes kinda of glaze over,” he said. “They don't have anybody that's technically qualified. It's generally going to fall to the practice manager who's going to be the compliance officer, the privacy officer, the security officer and every other thing they have to do, including running a practice.”
Walsh said he's also heard grumbling, “If you put full-disk encryption on, and you boot up, it slows the boot up the process.” Walsh said it might require two passwords, one for encryption and one for the operating system. “A lot of times people think that's inconvenient.” But with the latest Windows operating system, disk encryption is available as an option. All that needs be done is to turn it on, he said.
For a big group like Advocate, not addressing encryption is another story. “I just can't understand how an organization could have allowed that to occur,” Walsh said. “They should have identified this through their risk analysis years ago, and it should have been remediated.”
The record for the all-time largest HIPAA breach for any entity thus far goes to Science Applications International Corp., the business associate of a HIPAA-covered entity, Tricare Management Activity, the Defense Department's health insurer. In 2011, an SAIC employee reportedly had backup tapes stolen from his parked car in San Antonio. Those unencrypted tapes bore the records of 4.9 million active duty and retired military personnel covered by Tricare.
If lack of encryption seems to be a common theme running through these three breach incidents, there's good reason.
There are currently 659 breaches on the OCR list. In each, the records of 500 or more individuals have been exposed. Combined, they account for more than 22.8 million records breached. Of the listed breaches involving unencrypted computers or other electronic devices, 48% of the incident reports mention theft, 11% loss; and 8% hacking, all events that encryption might have mitigated.
Encryption won't by itself solve all of the healthcare industry's medical records security problems—nearly 1 in 4 reported breaches (24%) on the Office for Civil Rights list involved paper records. But encrypting electronic records
would go a long way toward keeping a healthcare organization out of hot water with the feds. Under HIPAA, data that are sufficiently encrypted to be rendered “unusable, unreadable or indecipherable” make it unnecessary to file a breach notification, for example.
Gallagher said her organization is about to begin this year's survey and should have results by December. With more rigorous enforcement of the HIPAA security rule in recent years, Gallagher said she hopes to see a rise in encryption usage.Follow Joseph Conn on Twitter: @MHJConn