Penalties in the form of settlement agreements for breaches of this magnitude in recent years have run to $1 million or more.
“It's a huge breach,” said Tom Walsh, principal of Tom Walsh Consulting, Overland Park, Kan.
This is likely to be the second trip to the OCR wall for Advocate. The theft of a laptop in November 2009 also made the list because it, too, was unencrypted. The stolen laptop carried the medical records of 812 individuals.
In an Aug. 23 statement, Advocate announced the breach, adding that it had sent letters to the affected patients and had offered them one year of credit monitoring. Advocate also said it had “reinforced our security protocols and encryption program with associates.” An Advocate spokeswoman said an encryption program launched by the organization in 2009 had not reached the four computers in the Park Ridge office.
Susan McAndrew, deputy director for health information privacy at the Office for Civil Rights, confirmed the agency had received a breach report from Advocate and has referred it to its regional office in Chicago for investigation.
Maura Possley, spokeswoman for Illinois Attorney General Lisa Madigan, said her office is also investigating the Advocate breach incident for potential violations under the Health Insurance Portability and Accountability Act and the Illinois Consumer Fraud and Deceptive Business Practices Act.
The costs to Advocate of this latest breach are likely to be substantial.
“You can imagine the extent of the forensic analysis to uncover what was on those hard drives,” said Kelly Jo Golson, senior vice president and chief marketing officer for Advocate Health Care, based in Downers Grove, Ill. “To the best of our knowledge, this data goes back to the early 1990s.”
“We established the call center, we set up the website,” Golson said. Advocate also sent out more than 4 million letters to affected patients and even hired 24/7 security guard coverage at its Park Ridge administrative office and is reviewing the need for physical security throughout the organization.
Golson said Advocate hasn't tallied up the costs of the breach. “At some point, we'll look at the financial implications, but we're not there yet.”
So far, there has been no recovery of the computers or an arrest.
Golson said Advocate embarked on a program of encrypting its computers in 2009, the year the laptop went missing. The initial target was to encrypt “all new laptops and all old ones that were able to be encrypted.”