BreachExchange mailing list archives
Regulators to investigate Advocate data breach
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Fri, 30 Aug 2013 13:38:13 -0400
http://articles.chicagotribune.com/2013-08-28/business/chi-advocate-20130828_1_medical-data-health-information-medical-record-numbers Federal regulators and the Illinois attorney general's office confirmed this week that they will investigate Advocate Medical Group's data breach, the second-largest loss of unsecured protected health information reported to the Department of Health and Human Services since it implemented a mandatory notification rule in September 2009. The breach, which the health care nonprofit revealed Friday, affects more than 4 million patients seen by Advocate Medical Group physicians, either in a medical office or a hospital, from the early 1990s through July. Patients began receiving notification letters Saturday informing them of the July 15 theft of four unencrypted desktop computers from a Park Ridge administrative office. Downers Grove-based Advocate said the data includes names, addresses, dates of birth and Social Security numbers. While full patient medical records were not on the computers, medical data for some patients also is at risk, including diagnoses, medical record numbers, medical service codes and health insurance information. While the computers were password protected, they were not encrypted, which would render information unreadable to everyone except authorized users. Rachel Seeger, a spokeswoman for the Health and Human Services Department, said the agency "takes these investigations very seriously, and since 2009 we have had a track record of taking a number of very high-profile actions that have sent clear messages to the industry that we expect full compliance with (data) privacy and security rules." The agency, which investigates every data breach that involves more than 500 people, has collected more than $18.4 million in fines in 16 major cases. Fines are most often levied to health care providers and other entities that handle patient data in cases where so-called protected health information is exposed. In the Advocate case, several categories of data reported as at risk appear to qualify as protected health data under federal law, including medical record numbers, health insurance information, Social Security numbers and other information that could be used for fraudulent purposes. Seeger declined to address the Advocate breach in detail, citing an "active law enforcement investigation." Maura Possley, a spokeswoman for the Illinois attorney general's office, said Wednesday that investigators began working the case after Advocate notified the state of the breach on Aug. 22. She declined to provide further details of the investigation. Kelly Jo Golson, an Advocate senior vice president, acknowledged Wednesday that some of the data at risk qualifies as protected health information under the law. She also said the sensitive data should not have been stored on the computers' hard drives. "This type of data should always be maintained on our secure network," she said. Advocate is working with several outside experts and consultants to address the issue. Its efforts include mapping all of its computer and software systems to identify where patient information is stored and ensure it is secured, Golson said. "We understand why patients are anxious and concerned," she said. "We deeply regret the inconvenience this incident has caused the patients who have entrusted us with their care." The computers have not been recovered, and Park Ridge police continue to investigate the break-in. Thieves who gain access to this type of data can use it for a variety of fraudulent purposes, including obtaining credit cards, lines of credit and false identification cards. Health data like diagnoses, medical service codes and insurance information can be used for much larger fraud schemes involving insurers like Medicare and Medicaid, said Ryan Kalember, chief product officer at WatchDox Inc., a Palo Alto, Calif.-based software company that makes data security products. Criminals can set up fake provider identifications and fraudulently bill insurance companies or the government for services never rendered. "Having someone's insurance information is critical, but having their (personal health information) itself is very useful in order to make the fraud more convincing," Kalember said. "These are much more sophisticated operations that can net much better dollars, and in many cases it's paid for by us as taxpayers." There are also, of course, privacy implications. "If you can find out the health condition of a politician or a CEO, whether he has HIV, diabetes or terminal cancer, you can commit a totally different type of fraud," including blackmail and extortion, said Will Hinde, director of health care strategy and solutions at West Monroe Partners LLC, a Chicago-based consulting firm. "And once that information is out, it's out. You can cancel your credit card and get a new one, but you can't trade in your body." _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Regulators to investigate Advocate data breach Jake Kouns (Aug 30)