Personal data for 4 million patients at risk after burglars snatch computers with Advocate Medical Group's patient information
Peter Frost and Julie Wernau of the Chicago Tribune report than 4 million patients of Advocate Medical Group may be at risk of ID theft after four computers were stolen during a burglary last month at Advocate’s administrative building on West Touhy Avenue in Park Ridge. Advocate Medical Group is part of Advocate Health Care.
In its statement on patientnotice.org, a web site it created about the breach, Advocate explains that the burglary, which occurred overnight, was discovered on July 15.
Our investigation confirmed that the computers contained patient information used by Advocate for administrative purposes and may have included patient demographic information (for example, names, addresses, dates of birth, Social Security numbers) and limited clinical information (for example, treating physician and/or departments, diagnoses, medical record numbers, medical service codes, health insurance information). Patient medical records were not on the computers and patient care will not be affected.
That sounds like more than enough information for ID theft and possibly medical ID theft if the insurance information included policy numbers. Although the burglars may have stolen the hardware for its non-content value, will someone discover what is on it and try to misuse the patient information?
And did Advocate have enough security in place? The Chicago Tribune reports:
The building was not equipped with an alarm, but it had a security camera and a panic button, Golson said. Advocate has since installed continuous security staffing at the office and is re-evaluating its security systems and practices systemwide.
The lack of encryption is probably the most glaring security failure. Did their policies require encryption but the policies weren’t followed or did they not have an encryption policy in place? And will HHS see this as insufficient physical security and insufficient technical security?
What will HHS do? And what will the state attorney general do?
A copy of Advocate’s patient notification letter has been uploaded to the California Attorney General’s breach reporting site, here (pdf).