Four Million Patient Records Stolen in Second Largest HIPAA Data Breach

Posted 9.3.13 by

Advocate Health Care marks the second largest HIPAA data breach since the breach notification rule was implemented in 2009, losing more than 4 million patient records in a theft of four unencrypted computers. The data included personally identifiable patient information as well as clinical data, including diagnoses and health insurance information.

A senior vice president from Advocate acknowledged that the sensitive data shouldn’t have been stored on the computers’ hard drives, but instead maintained on their secure network. One of the steps they’re taking toward remediation includes mapping its computer and software systems in order to identify where patient data is stored, and how to secure it. This is also one of the first steps that should be taken toward data encryption – classifying sensitive data and then selecting a proper encryption method is next.

OHIPAA Private Cloudne way to keep data protected on secure networks is by using SAN (storage area network) disk-level encryption that encrypts the data as it’s written to disk. With an enterprise-class private cloud, your compute, memory and disk performance is completely dedicated to your organization – no sharing of resources.

Encryption of data at rest and in transit is highly recommended to meet HIPAA standards §164.312(a)(2)(iv) and §164.306(e)(2)(ii) for encryption of electronic protected health information (ePHI) anywhere data is also stored or archived as backups.

If you’re a healthcare organization seeking an encrypted data and application hosting solution, ask your HIPAA cloud hosting provider if they are able to provide encryption, and if they provide encrypted offsite backup. Without encryption, your data may be at risk if accessed by unauthorized users, and you are subject to the HIPAA Breach Notification Rule that requires public notification for data breach affecting over 500 individuals.

However, encryption can’t do it all – for a layered security approach, consider enlisting other data security tools such as File Integrity Monitoring (FIM), a Web Application Firewall (WAF), Daily Log Review and other technical security services.

Upcoming HIPAA Encryption Webinar
HIPAA Compliant Hosting White PaperWant to learn more the HHS’s encryption standards for securing PHI? Join our upcoming webinar, Removing the ‘Cryptic’ from ‘Encryption’ – HIPAA and the Meaning of Secure PHI, hosted by Online Tech’s April Sage and Brian Balow of Dickinson Wright, an attorney focused on IT, healthcare law and intellectual property. Held Tuesday, September 17 @2PM ET, it’s free to join and we encourage submitting your questions about HIPAA encryption in advance. Sign up online here.

Regulators to Investigate Advocate Data Breach
Advocate Medical Group Notifies Patients, Offers Protection Following Office Burglary

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get in touch with an Otava Rep today – just provide us with a bit of information below to get started and we’ll reach out to you shortly!