An article at HealthcareInfoSecurity highlights a recent breach that occurred at Advocate Medical Group. The breach, potentially involving the protected health information of four million consumers, could become the second largest breach incident reported under the HITECH notification rule.
The breach occurred when one of Advocate’s offices was burglarized and four un-encrypted computers were stolen. The information contained on those computers included names, addresses, dates of birth, Social Security numbers, and certain clinical health information for patients. While Advocate states that they continue to work with law enforcement to recover the stolen computers, they also report they have taken additional steps to strengthen current security measures:
- Adding 24/7 physical security presence at the office, and potentially at other facilities
- Reinforced security protocols, and encryption program
- Provided notification and credit monitoring services to affected patients
While a burglary can happen to any healthcare organization and frequently, lost media or computers are the cause of data breach in the healthcare industry it’s important to keep in mind that a thorough risk analysis will help mitigate this risk, because it should include assessment of physical security protocols as well. Too often, risk analysis is focused on mitigating the potential for hacking or any type of electronic loss of data, but the numbers prove that it’s important to focus on physical security as well: According to Privacy Rights Clearinghouse, almost half (47 percent) of all reported data breaches (known cause of breach) since 2005 were due to lost or stolen media, computers or other devices.