On top of federal and state investigations into its data breach, Advocate Medical Group in Downers Grove, Ill, faces a class-action lawsuit from affected patients.
The lawsuit claims the Chicago area's largest physician group violated privacy regulations by failing to use encryption and other security practices, according to the Chicago Tribune.
Personal information for more than 4 million patients was compromised in the July theft of four computers. It's the second-largest loss of unsecured health information reported to the Department of Health and Human Services since the agency made notification mandatory in 2009.
Though the computers were password protected, the information was not encrypted.
"Nothing leads us to believe the computers were taken for the information they contain, and there is no information to suggest any of that data has been used in an inappropriate way," Kelly Jo Golson, senior vice president and chief marketing officer for the nonprofit group, told the Tribune.
The records included names, addresses, dates of birth and Social Security numbers, but no full medical records. However, diagnoses, medical record numbers, medical service codes and health insurance information on patients seen between the early 1990s through July were among the data potentially exposed.
HHS and the Illinois attorney general are investigating the breach, one of at least 10 reported in the state this year, according to the Tribune.
Though most healthcare organizations understand the risks of a breach, including violating the Health Insurance Portability and Accountability Act, many nevertheless fail to take proper steps to prevent one, according to a Ponemon Institute report.
Many times organizations don't fully grasp the need to do so until a breach occurs. And in the Ponemon survey, even among organizations that had been breached, 39 percent still had not put a data risk plan in place. It put healthcare organizations' cost of responding to breaches at $6.78 billion annually.
Beth Israel Deaconess Medical Center CIO John Halamka recently described the risk audit process that organization underwent after a 2012 laptop breach as a "public colonoscopy," but credited the lessons learned with helping the organization protect patient data as it later responded to the Boston Marathon bombings.
To learn more:
- read the Tribune article