Federal regulators and the Illinois attorney general's office confirmed this week that they will investigate Advocate Medical Group's data breach, the second-largest loss of unsecured protected health information reported to the Department of Health and Human Services since it implemented a mandatory notification rule in September 2009.
Federal regulators and the Illinois attorney general’s office confirmed this week that they will investigate Advocate Medical Group’s data breach, the second-largest loss of unsecured protected health information reported to the Department of Health and Human Services since it implemented a mandatory notification rule in September 2009.
The breach, which the health care nonprofit revealed late last week, affects more than 4 million patients seen by Advocate Medical Group physicians, either in a medical office or a hospital, from the early 1990s through July.
Patients began receiving notification letters last weekend informing them of the July 15 theft of four unencrypted desktop computers from a Park Ridge, Ill., administrative office.
Downers Grove, Ill.-based Advocate said the data includes names, addresses, dates of birth and Social Security numbers. While full patient medical records were not on the computers, medical data for some patients also is at risk, including diagnoses, medical record numbers, medical service codes and health insurance information.
While the computers were password-protected, they were not encrypted, which would render information unreadable to everyone except authorized users.
Rachel Seeger, a spokeswoman for the Health and Human Services Department, said the agency “takes these investigations very seriously, and since 2009 we have had a track record of taking a number of very high-profile actions that have sent clear messages to the industry that we expect full compliance with (data) privacy and security rules.”
The agency, which investigates every data breach that involves more than 500 people, has collected more than $18.4 million in fines in 16 major cases. Fines are most often levied to health care providers and other entities that handle patient data in cases where “protected health information” is exposed.
In the Advocate case, several categories of data reported as at risk appear to qualify as protected health data under federal law, including medical record numbers, health insurance information, Social Security numbers and other information that could be used for fraudulent purposes.
Seeger declined to address the Advocate breach in detail, citing an “active law enforcement investigation.”
Maura Possley, a spokeswoman for the Illinois attorney general’s office, said Wednesday that investigators began working the case after Advocate notified the state of the breach on Aug. 22. She declined to provide further details of the investigation.
Kelly Jo Golson, an Advocate senior vice president, acknowledged Wednesday that some of the data at risk qualifies as protected health information under the law. She also said the sensitive data should not have been stored on the computers’ hard drives. “This type of data should always be maintained on our secure network,” she said.
Advocate is working with several outside experts and consultants to address the issue. Its efforts include mapping all of its computer and software systems to identify where patient information is stored and ensure it is secured, Golson said.
“We understand why patients are anxious and concerned,” she said. “We deeply regret the inconvenience this incident has caused the patients who have entrusted us with their care.”
The computers have not been recovered, and Park Ridge police continue to investigate the break-in.
Thieves who gain access to this type of data can use it for a variety of fraudulent purposes, including obtaining credit cards, lines of credit and false identification cards.
Health data like diagnoses, medical service codes and insurance information can be used for much larger fraud schemes involving insurers like Medicare and Medicaid, said Ryan Kalember, chief product officer at WatchDox Inc., a Palo Alto, Calif.-based software company that makes data security products.
Criminals can set up fake provider identifications and fraudulently bill insurance companies or the government for services never rendered.
“Having someone’s insurance information is critical, but having their (personal health information) itself is very useful in order to make the fraud more convincing,” Kalember said. “These are much more sophisticated operations that can net much better dollars, and in many cases it’s paid for by us as taxpayers.”
There are also, of course, privacy implications.
“If you can find out the health condition of a politician or a CEO, whether he has HIV, diabetes or terminal cancer, you can commit a totally different type of fraud,” including blackmail and extortion, said Will Hinde, director of health care strategy and solutions at West Monroe Partners LLC, a Chicago-based consulting firm. “And once that information is out, it’s out. You can cancel your credit card and get a new one, but you can’t trade in your body.”
(EDITORS: STORY CAN END HERE)
Since Health and Human Services began tracking and investigating health-related data breaches in late 2009, there have been at least 660 reported breaches that each involve more than 500 individuals. With the Advocate case included, personal and health data of about 27 million people has been put at risk, according to agency data.
The largest breach occurred in September 2011, when the vendor that operates Tricare, the health program for U.S. military members and their dependents, lost data on 4.9 million patients when backup tapes were stolen from an employee’s car. The Health and Human Services department has not completed its investigation in that case.
A more recent settlement involving Blue Cross Blue Shield of Tennessee draws similarities to the Advocate case. In March, the insurer agreed to pay $1.5 million in fines to settle potential privacy and security violations after 57 unencrypted computer hard drives were stolen.
Advocate went public with the latest breach Aug. 23, 39 days after it uncovered the computer theft. While some patients have decried the delay, under the law the company had 60 days to report the incident.
In response to the breach, Advocate is offering a free year of credit monitoring services to those whose information may have been exposed. It also set up a website and a call center, which is handling about 2,000 calls a day, Golson said. In response to the high volume, Advocate has increased its call center staffing by about 30 percent.
“Our primary focus is on offering all (patients) resources to answer their questions and tools to protect their personal information,” Golson said. “We do not believe the data was targeted, and we have no information that leads us to believe that (it) has been misused.”
©2013 Chicago Tribune
Visit the Chicago Tribune at www.chicagotribune.com
Distributed by MCT Information Services