In Chicago, the theft of four computers from Illinois-based Advocate Health Care potentially put the personal information of more than four million patients at risk. The computers, stolen on July 15, 2013, contained names, addresses, Social Security numbers and dates of birth. The incident represents one of the largest security breaches in healthcare. The health system then faced a class action lawsuit from affected patients.
Stolen laptops containing patient medical data seem to pop up in the media on a weekly basis. The security of medical data is a challenge for many health care facilities, and as three recent incidents show, inadequate data security can affect large numbers of people and also affect the liability of the company into which the data was stolen.
In Los Angeles, the theft of two laptops belonging to a California hospital group compromised the medical records of about 729,000 patients. The laptops, which belonged to San Gabriel Valley-based AHMC, contained health and personal information on patients treated at six area hospitals. According to the U.S. Department of Health and Human Services, the AHMC Healthcare data breach is the 11th largest healthcare data breach ever.
Healthcare data breaches are on the rise related to the use of laptops or other portable devices that store, contain, or are used to access patient medical data. The potential consequences of these recent breaches of the HIPAA Omnibus Rule1 (the “Rule”) are likely to be severe.
In early October 2013, a laptop containing unencrypted demographic data on approximately 5,500 patients was stolen from Seton Healthcare Family’s McCarthy Community Health Center in Austin, Texas. The files on the laptop included names, addresses, telephone numbers, dates of birth, Seton medical record and patient account numbers, Social Security numbers, diagnoses, immunizations, and insurance information. Although Seton Healthcare Family requires that computers be encrypted, the stolen laptop did not have encryption software installed.