Four Million Patient Records Breached During Burglary at the Advocate Medical Group. The Penalty? $960,000


September 23, 2013

Recently, a Chicago-based AMG Medical Group revealed that four million patient records were breached during a burglary at their administrative office. The Park Ridge Police Department were immediately notified after the break-in, which resulted in the theft of four computers, occurred at the administrative office on July 15, 2013.

AMG launched an investigation and discovered that the four computers didn’t contain patient medical records, however, they did contain patient information including names, dates of birth, addresses and social security numbers. In addition, the computers contained limited clinical information, such as attending physicians and/or departments, medical record numbers, diagnoses, medical service codes and health insurance data.

According to Bill Barr, a development coordinator with the newly formed Medical Identity Theft Alliance (MIFA) and co-founder of the Smart Card Forum, the incident marks one of the largest health care breaches yet, with a surprisingly high number of patients whose information has been exposed.

It’s important to note that while the computers were password protected, they weren’t encrypted. Naturally, this leads many people to wonder:

  • Why weren’t these four computers encrypted to protect the patient information?
  • Why were four million patient records contained on desktop computers instead of being on a centralized server?

Surely if AMG had performed a HIPAA Risk Assessment these risk would have been identified. Aside from any potential HIPAA related fines from the HSS Office of Civil Rights, the cost of this breach is going to be huge. The estimated cost of a healthcare-related data breaches is approximately $240 per record! Doing the math, we find that four million breached records will cost AMG a total of $960,000,000.

The Take-Home Message:  Encryption and HIPAA Risk Assessments

Should Always Be a Top Priority!

Encrypting a desktop computer costs less than $100 per year. Assuming that 100 desktop computers stored PHI (protected health information), which should be stored on a server, the cost to encrypt those 100 desktop computers would be approximately $10,000 per year. Would you rather pay $10,000 or $960,000,000? The answer is obvious, and it would have only cost $400 to encrypt these four desktops and avoid the breach expenses.

The $400 price would be a fraction of the $960,000,000 that AMG will now have to pay, not to mention the damage to their reputation that comes from a breach as severe as this.

Do you know how many patient records are currently stored in your organizations computers, and if it’s properly protected?

Where are these records stored?

Are they stored on laptops, desktops, smartphones, or any other devices?

To avoid an expensive breach, and damage to your organization’s reputation, follow these steps to provide maximum protection for PHI:

  1. Perform a HIPAA Risk Assessment to determine where patient information is stored and the potential risk of the a data breach.
  2. Encrypt each device that contains patient information, as covered above, the expense will be a lot cheaper than breach-related expenses!
  3. Train all of your employees on how to properly protect PHI.

It’s difficult to think of an area more private than an individual’s medical or health information. Medical records often include some of the most intimate details about a person’s life. Protecting the confidentiality of health information is essential to ensure that individuals are able to obtain quality care.

We're Integris. We're always working to empower people through technology.

Keep reading

Why Baltimore Businesses Are Turning to Outsourced IT Services

Whether you are a legal firm, manufacturing company, or digital marketing company, your business relies on technological infrastructure and security to maintain operations, market products, and secure customer information and data. While some businesses have the...

Understanding HIPAA

Understanding HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act. It was created in 1996 and implemented by the United States Department of Health and Human Services. It was designed to address the use and disclosure of an individual’s health information,...