Chicago based Advocate Medical Group announced that a burglary at their administrative office has resulted in a breach of 4 million patient records.
Immediately after discovering that four computers were stolen, that same day, the Park Ridge Police Department was notified. AMG then launched an investigation and discovered that while the computers did not contain patient medical records, they did house patient information, including names, addresses, dates of birth and Social Security numbers. The computers also had limited clinical information, such as the treating physicians and/or departments, diagnoses, medical record numbers, medical service codes, and health insurance data.
4 desktop computers were stolen in the break-in. The computers were password protected but they were not encrypted.
Questions
A few questions come to mind when looking at this incident:
- Why are 4 million patient records sitting on desktop computers and not stored on a centralized server?
- Why were these 4 computers not encrypted to protect the patient information?
- Did Advocate Medical Group perform a HIPAA Risk Assessment and why were these risks not identified?
Huge Breach Expense
Putting aside any possible HIPAA related fines from The HHS Office of Civil Rights, the cost of this breach is huge. It is estimated that a healthcare related data breach costs around $240 per record.
4 million breached records could cost Advocate $960,000,000
Encryption
Encrypting a desktop computer cost less than $100 per year. Let’s assume that 100 desktop computers stored PHI (again, why is PHI stored on a desktop and not stored on a server?). The cost to encrypt the 100 desktop computers would be around $10,000 per year. $10,000 is a lot cheaper than $960,000,000! It would have only cost $400 to encrypt these 4 desktops.
Spending $400 would have prevented a $960,000,000 breach!
If the desktop computers were encrypted there would be no breach reporting expenses, no damage to their reputation, etc. The cost to Advocate would be a fraction of the $960,000,000 they are now facing.
Your Turn
Do you know how many patient records are stored in your organization? Do you know where these records are stored? Are they stored on desktops, laptops, smartphones, etc.?
- Perform a HIPAA Risk Assessment to identify where patient information is stored and the risk to the information
- Encrypt all devices that store patient information – the expense will be a LOT cheaper than breach related expenses!
- Train your employees on how to protect patient information
Protecting patient information is a lot cheaper than breach related expenses!
[framed_box bgColor=”#ffd390″]Free HIPAA Security Training!
All Covered Entities and Business Associates need to train their employees on HIPAA security. We now offer free online HIPAA security training for Covered Entities and Business Associates. Find out more about our free training and send the information to ALL your colleagues and Business Associates.
Now it is easy to train your employees on protecting patient information!
[/framed_box]
Leave a Reply