Advocate Data Breach – Different Year, Same Encryption Problems
In many respects, it has been The Summer of The Data Breach. HHS brought down the hammer on Wellpoint, fining the insurer $1.7 million after discovering the impermissible disclosure of over 600,000 patient records through an unsecured online application. A couple of weeks later OHSU reported a breach of over 3,000 patient records when hospital officials learned that providers were using Google Drive to share patient records in the cloud. Finally, just two weeks ago in the event that sent shock waves through both covered entities and business associates, OCR and Affinity reached a $1.2 million settlement after the health plan failed to delete over 300,000 patient records off a digital photocopier it had leased in 2010. A subsequent lessee, CBS, noticed a large amount of leftover sensitive data.
An Unfortunate Healthcare Breach
So, in what can only be described as a suitable event to close out the summer, this Labor Day weekend punctuated this series of noteworthy PHI events with the discovery that Advocate Health lost more than 4 million patient records after a thief stole four computers from the largest Illinois medical group. In an all too familiar fact pattern, the laptops were not encrypted and left every data record vulnerable to compromise.
While the number of compromised patient records is staggering, the biggest shocker of all was that Advocate has dealt with this exact problem in the past. In a 2009 laptop theft, Advocate landed itself on the OCR “Wall of Shame” for the breach which caused 812 patient records to walk out of the door with their thief. In a settlement with federal regulators stemming from this first incident, Advocate agreed to launch an encryption program to protect all future mobile devices from third party access even if stolen. An Advocate spokeswoman indicated that this encryption program had not yet reached the four recently stolen laptops.
Be Proactive with Healthcare Security and Encryption
Though unfortunate, the Advocate case provides us with some valuable lessons. Large healthcare organizations have the resources and IT personnel to roll out protective measures for their patients’ data, but given the organizational complexities and many moving parts even requirements out of a federal lawsuit settlement may take a hospital system years to roll out completely. What’s more, as the number of types of mobile devices increases, huge health systems will find it difficult to remain flexible enough to account for these new challenges.
The change providers must adopt must be more foundational. Instead of trying to patch over security issues constantly, providers should find solutions with security already built into the product infrastructure. Instead of allowing providers to use another device to access PHI, CIOs should first consider how to secure existing processes. Left unaddressed, your facility might find itself headlining the next season of data breaches.