Skip to main content
Sister Publication Links
  • ESG: THE NEW IMPERATIVE
Subscribe
  • My Account
  • Login
  • Subscribe
  • News
    • Current News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Digital Health
  • Insights
    • ACA 10 Years After
    • Best Practices
    • Special Reports
    • Innovations
  • Data/Lists
    • Rankings/Lists
    • Interactive Databases
    • Data Points
  • Op-Ed
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Awards
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
    • Women in Healthcare
    • - Luminaries
    • - Top 25 Diversity Leaders
    • - Leaders to Watch
    • - Luminaries
    • - Top 25 Women Leaders
    • - Women to Watch
  • Events
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Custom Media Event: ESG Summit
    • Transformation Summit
    • Women Leaders in Healthcare Conference
    • Social Determinants of Health Symposium
    • Leadership Symposium
    • Health Care Hall of Fame Gala
    • Top 25 Women Leaders Gala
    • Best Places to Work Awards Gala
    • Top 25 Diversity Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Supply Chain Revenue Cycle
    • - Hospital at Home
    • - Workplace of the Future
    • - Strategic Marketing
    • - Virtual Health
  • Listen
    • Podcast - Next Up
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • MORE +
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Information Technology
September 07, 2013 01:00 AM

Unprotected data

Advocate breach highlights fact that 36% of providers don't use encryption

Joseph Conn
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Only 64% of healthcare organizations—both hospitals and office-based physician practices—use encryption when they transmit healthcare information.

    One warm night in mid-July, more than 4 million patient records breezed out the door of the Advocate Medical Group administrative office in the arms of an unidentified thief who stole four computers from the largest medical group in Illinois. The 1,100-physician medical group based in Park Ridge is part of the 10-hospital Advocate Health Care system.

    Those records were kept on four stolen computers that were not protected by encryption. If a summary of that event gets posted to the “wall of shame” website kept by the Office for Civil Rights at HHS, which most likely it will, it will rank as the largest breach of federally protected records by a healthcare provider on that list.

    Related Content

    Advocate Health Care sued following massive data breach

    Penalties in the form of settlement agreements for breaches of this magnitude in recent years have run to $1 million or more.

    “It's a huge breach,” said Tom Walsh, principal of Tom Walsh Consulting, Overland Park, Kan.

    This is likely to be the second trip to the OCR wall for Advocate. The theft of a laptop in November 2009 also made the list because it, too, was unencrypted. The stolen laptop carried the medical records of 812 individuals.

    In an Aug. 23 statement, Advocate announced the breach, adding that it had sent letters to the affected patients and had offered them one year of credit monitoring. Advocate also said it had “reinforced our security protocols and encryption program with associates.” An Advocate spokeswoman said an encryption program launched by the organization in 2009 had not reached the four computers in the Park Ridge office.

    Susan McAndrew, deputy director for health information privacy at the Office for Civil Rights, confirmed the agency had received a breach report from Advocate and has referred it to its regional office in Chicago for investigation.

    Maura Possley, spokeswoman for Illinois Attorney General Lisa Madigan, said her office is also investigating the Advocate breach incident for potential violations under the Health Insurance Portability and Accountability Act and the Illinois Consumer Fraud and Deceptive Business Practices Act.

    The costs to Advocate of this latest breach are likely to be substantial.

    “You can imagine the extent of the forensic analysis to uncover what was on those hard drives,” said Kelly Jo Golson, senior vice president and chief marketing officer for Advocate Health Care, based in Downers Grove, Ill. “To the best of our knowledge, this data goes back to the early 1990s.”

    “We established the call center, we set up the website,” Golson said. Advocate also sent out more than 4 million letters to affected patients and even hired 24/7 security guard coverage at its Park Ridge administrative office and is reviewing the need for physical security throughout the organization.

    Golson said Advocate hasn't tallied up the costs of the breach. “At some point, we'll look at the financial implications, but we're not there yet.”

    So far, there has been no recovery of the computers or an arrest.

    Golson said Advocate embarked on a program of encrypting its computers in 2009, the year the laptop went missing. The initial target was to encrypt “all new laptops and all old ones that were able to be encrypted.”

    Golson said she didn't know the number of computers Advocate uses at its more than 250 care sites.

    Golson said the data types in the stolen records varied. Some included Social Security numbers or medical record numbers, while others did not. The data were used for primarily operational and administrative purposes such as appointment scheduling, benefits verification, coordination of care and patient registration.

    Those data elements, while limited, still would be sufficient for medical identity theft, said Pam Dixon, founder and executive director of the World Privacy Forum.

    In two online public statements, Advocate said the breach involved “no patient medical records” and it “has no impact on patient care.”

    “We are certainly not trying to state that this information couldn't be used inappropriately,” Golson said.

    “We just wanted to assure folks it wasn't the level of information that's included in a full medical record. We understand why our patients are concerned. We deeply regret this,” she said.

    According to Walsh, given the risk of storing data without encryption and the relatively low cost to encrypt—about $55 per computer—it's hard to accept the lack of encryption.

    Since 2005, data handlers have been required to be in compliance with HIPAA's security standards, he said.

    Only 64% of healthcare organizations—both hospitals and office-based physician practices—use encryption when they transmit healthcare information, according to a survey conducted in 2012 by the Healthcare Information and Management Systems Society, said Lisa Gallagher, vice president of technology solutions for HIMSS.

    For a big group such as Advocate, “I just can't understand how an organization could have allowed that to occur,” Walsh said. “They should have identified this through their risk analysis years ago, and it should have been remediated.”

    Follow Joseph Conn on Twitter: @MHJConn

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    technology
    Task force to review standards for ONC-certified tech
    Needle in a haystack: Providers find the value in patient-generated health data
    Needle in a haystack: Providers find the value in patient-generated health data
    Sponsored Content
    Health IT Strategist (HITS) Newsletter: Sign up for the latest IT and medical technology news delivered 3 days a week (M, W, F).
     
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Digital Health
    • Insights
      • ACA 10 Years After
      • Best Practices
      • Special Reports
      • Innovations
    • Data/Lists
      • Rankings/Lists
      • Interactive Databases
      • Data Points
    • Op-Ed
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Awards
      • Nominate/Eligibility
      • 100 Most Influential People
      • 50 Most Influential Clinical Executives
      • Best Places to Work in Healthcare
      • Excellence in Governance
      • Health Care Hall of Fame
      • Healthcare Marketing Impact Awards
      • Top 25 Emerging Leaders
      • Top 25 Innovators
      • Diversity in Healthcare
        • - Luminaries
        • - Top 25 Diversity Leaders
        • - Leaders to Watch
      • Women in Healthcare
        • - Luminaries
        • - Top 25 Women Leaders
        • - Women to Watch
    • Events
      • Conferences
        • Transformation Summit
        • Women Leaders in Healthcare Conference
        • Social Determinants of Health Symposium
        • Leadership Symposium
      • Galas
        • Health Care Hall of Fame Gala
        • Top 25 Women Leaders Gala
        • Best Places to Work Awards Gala
        • Top 25 Diversity Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Supply Chain Revenue Cycle
        • - Hospital at Home
        • - Workplace of the Future
        • - Strategic Marketing
        • - Virtual Health
      • Webinars
      • Custom Media Event: ESG Summit
    • Listen
      • Podcast - Next Up
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • MORE +
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing