The largest health system in Illinois sent letters out to its patients notifying them that Advocate Medical Oncology Group was the victim of a burglary on July 15th, 2013. The burglar(s) broke into the medical group’s administrative office building and were able to steal 4 laptop computers from the facility which happened to contain sensitive personal data on more than 4 million of Advocate Medical Oncology’s patients going back all the way to the 1990’s.
The data that was stored on the Group’s laptops included sensitive personal information on more that 4 million of its patients which included names, addresses, date of birth, social security numbers and other sensitive material regarding their patients. But according to a representative from Advocate the compromised information did not include the patient’s medical records, or banking or financial information.
Once aware of the break-in and possible data breach Advocate made every attempt to notify the patients who may have been affected, the company set up a dedicated call center to answer any questions their customers might have and offered one year of free credit monitoring services to anyone who may have been impacted.
Senior Vice President and Chief Marketing Officer, Jo Golson said, “Nothing leads us to believe the computers were taken for the information they contain, and there is no information to suggest any of that data has been used in an inappropriate way.”
But the rosy picture Advocate painted didn’t turn out to be the case at all, as a direct result of the Groups HIPAA violations and two cyber attacks later, Advocate Health experienced one of the largest ever before healthcare cyber data breaches on record.
Subsequent lawsuit(s) filed against Advocate for allegedly failing to encrypt their laptops, to take proper security measures and violation of patient privacy laws was dismissed in August of 2015 by two trial judges and Justice Ann B. Jorgensen of the Second Appellate Court ruled the lawsuit was “clearly speculative” and was without standing.
However, as a direct result of the Advocate building break-in there were 2 subsequent breaches within a period of three months that impacted another 2,029 and then another 2,237 more people. In total this resulted in the largest ever HIPAA settlement that covered just one single entity, Advocate Health Care Network, which has agreed to pay a record $5.55 million dollar settlement for its multiple potential Health Insurance Portability and Accountability Act (HIPAA) violations.