I’ve had a lot of coverage of Advocate Health’s breaches over the past years that you can access here. Here’s is HHS’s announcement of the settlement of their charges: Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan. This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country. “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.” OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to: conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI; implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center; obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession;and reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight. Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois. Read the resolution agreement and corrective action plan. SOURCE: HHS
Linn Foster Freedman writes: Last week, an Illinois judge dismissed with prejudice five of the six claims levied against Advocate Health Care in a consolidated case of ten cases filed against it following the data breach it experienced in July of 2013 when four unencrypted laptops were stolen from its administrative office, exposing the data of four million patients. The only remaining claim is that of negligence for those plaintiffs who claim they suffered identity theft as a result of the data breach. SOURCE: Robinson & Cole
There’s an update to another case I’ve been following. Although Advocate Health won dismissal of some lawsuits stemming from the theft of four laptops with information on over 4 million patients, plaintiffs have asked the Seventh Circuit for another bite of the apple under the Fair Credit Reporting Act (FCRA). So far, trying to litigate breaches under FCRA has not been successful, but plaintiffs hope the Seventh Circuit will buy their argument.
From the no-surprise-to-me dept.: Advocate Health, which had already succeeded in getting other potential class action claims dismissed, has now also succeeded in getting a claim that they violated the Fair Credit Reporting Act dismissed. Plaintiffs, who generally attempt a variety of state and federal claims in breach lawsuits, had argued that by failing to adequately secure patient information, Advocate Health had violated the FCRA. The court rejected the argument, holding that Advocate Health is not a credit reporting agency.
From the no-surprise-there dept.: An Illinois state court on Thursday tossed a putative class action over a data breach at Advocate Health and Hospitals Corp., ruling that the plaintiffs needed to prove that their data had actually been misused in order to sustain their claims. Read more on Law360.com (paywall)
Law360 reports: An Illinois state court on Tuesday dismissed a putative class action claiming Advocate Health and Hospitals Group was responsible for breaching class members’ privacy when four laptop computers containing patient information were stolen from administrative offices.The court ruled the plaintiffs couldn’t show they’d actually been harmed or that their data was stolen or used for purposes they hadn’t authorized, according to the decision. Access to the full article requires a subscription.
Jake Prinsen reports: Hackers may have stolen personal information from patients at Aurora Medical Center Bay Area. Someone used an email phishing scam around January 1 to gain access to email accounts of several of the Marinette hospital’s employees, according to Advocate Health Aurora. Read more on Green Bay Press Gazette.
What is there about “no standing” that you failed to accept? And why do lawyers keep filing lawsuits when the courts have been pretty consistent about dismissing for lack of standing if a lead plaintiff can’t demonstrate actual injury or harm or truly imminent and likely injury? Law360 reports: An Illinois appellate court on Tuesday affirmed the dismissal of a pair of putative class actions over a data breach at Advocate Health and Hospitals Corp., finding that a lack of any evidence of identity theft or other concrete injury doomed the plaintiffs’ claims.
HHS updated its breach tool yesterday. The following is an annotated list of new entries on their list. It is not clear to me why there are breach entries where the breaches occurred in 2011 or 2012. Did HHS delay in adding incidents to the breach tool or are entities first discovering and/or reporting the incidents? Unfortunately, HHS’s breach list does not include a field for the date on which the incident was reported – only the date that HHS adds it to the list. The following are newly added incidents for which we already had some information: UT Physicians, the medical group practice of The University of Texas Health Science Center at Houston (UTHealth) Medical School, reported that 596 patients had PHI on the laptop reported missing or stolen. The Olson & White Orthodontics burglary was reported to HHS with the same details as previously reported on this blog. The City of Seguin,TX reported that 839 patients were affected by the Advanced Data Processing (ADPI) breach in 2012, while Washington County EMS,TX reported that 1,435 of their patients were affected and the City of North College Hill reported that 555 of their patients were affected. For all previous coverage on this blog of ADPI’s breach, click here. Parkview Community Hospital Medical Center in California reported that 32,000 of its patients were affected by the Cogent Healthcare breach caused by a firewall error by its transcription service vendor, M2ComSys. It’s a bit surprising to see one hospital report 32,000 since media reports at the time suggested it was 32,000 total. The number of Parkview patients needs to be confirmed, as they may have been reporting the total number from Cogent and not just their portion. Jackson Health System in Florida reported that 1,471 patients had PHI in boxes of records that were discovered missing or unaccounted for. The boxes were discovered missing in January. St. Anthony’s Physician Organization in Missouri reported the July 29 theft of a laptop with PHI of 2,600. The laptop was stolen from a physician’s car. Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group reported the theft of computers containing PHI on 4,029,530 patients. The following are incidents that were not previously noted on this blog: The Kaiser Foundation Health Plan of the Northwest reported a breach affecting 647 patients that occurred on March 15, 2013. This does not appear to be the same breach reported recently on this blog, but as yet, I’ve found no details on it, and e-mailed Kaiser Permanente to request information. Update 1: Kaiser Permanente Northwest replied to my inquiry with the following statement: Kaiser Permanente Northwest recently discovered that an employee viewed medical records without proper authorization. A comprehensive investigation of the incident has been completed and state and federal regulatory agencies notified. Notification letters have been mailed to every affected Kaiser Permanente member. Our internal investigation of this matter shows: There is no evidence that information was viewed by the employee for the purpose of fraud or other criminal activity. The employee had no access to Social Security numbers, credit card information, or records through Mental Health or Addiction Medicine specialties. There is no evidence that the employee retained, maintained, or stored any of the information contained in the medical records. Summit Community Care Clinic in Colorado reported that 921 patients were affected by a Hacking/IT incident that occurred July 22. There is no statement or notice on their web site at this time, and PHIprivacy.net e-mailed them to request information. (see update HERE). Minne-Tohe Health Center/Elbowoods Memorial Health Center in North Dakota reported a breach affecting 10,000. The breach reportedly occurred October 1, 2011, and involved “Improper Disposal, Unauthorized, Access/Disclosure”,”Desktop Computer, Other.” Clear as mud, right? I have no idea what happened there or why it took almost two years for this to show up on HHS’s breach tool. This one may require a phone call. Logan Community Resources, Inc. in Indiana reported that 2,900 were affected by a “Hacking/IT Incident” that occurred on August 24, 2012. Again, I could find no information online a year after the breach, and so sent an e-mail requesting details of the incident. St. Francis Health Network, aka Franciscan Alliance ACO in Indiana reported that a breach involving Advantage Health Solutions affected 2,575 patients. The breach occurred on October 19, 2012. The log entry does not appear to be related to this breach report from July involving Advantage Health Solutions, and PHIprivacy.net has e-mailed Franciscan Alliance ACO to ask for details on the incident. Because email inquiries sent yesterday have not yet received any replies, do check back to see if this post is updated with additional details.
Peter Frost and Julie Wernau of the Chicago Tribune report than 4 million patients of Advocate Medical Group may be at risk of ID theft after four computers were stolen during a burglary last month at Advocate’s administrative building on West Touhy Avenue in Park Ridge. Advocate Medical Group is part of Advocate Health Care. In its statement on patientnotice.org, a web site it created about the breach, Advocate explains that the burglary, which occurred overnight, was discovered on July 15. Our investigation confirmed that the computers contained patient information used by Advocate for administrative purposes and may have included patient demographic information (for example, names, addresses, dates of birth, Social Security numbers) and limited clinical information (for example, treating physician and/or departments, diagnoses, medical record numbers, medical service codes, health insurance information). Patient medical records were not on the computers and patient care will not be affected. That sounds like more than enough information for ID theft and possibly medical ID theft if the insurance information included policy numbers. Although the burglars may have stolen the hardware for its non-content value, will someone discover what is on it and try to misuse the patient information? And did Advocate have enough security in place? The Chicago Tribune reports: The building was not equipped with an alarm, but it had a security camera and a panic button, Golson said. Advocate has since installed continuous security staffing at the office and is re-evaluating its security systems and practices systemwide. The lack of encryption is probably the most glaring security failure. Did their policies require encryption but the policies weren’t followed or did they not have an encryption policy in place? And will HHS see this as insufficient physical security and insufficient technical security? What will HHS do? And what will the state attorney general do? A copy of Advocate’s patient notification letter has been uploaded to the California Attorney General’s breach reporting site, here (pdf).