Regulators to investigate Advocate data breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://articles.chicagotribune.com/2013-08-28/business/chi-advocate-20130828_1_medical-data-health-information-medical-record-numbers

Federal regulators and the Illinois attorney general's office
confirmed this week that they will investigate Advocate Medical
Group's data breach, the second-largest loss of unsecured protected
health information reported to the Department of Health and Human
Services since it implemented a mandatory notification rule in
September 2009.

The breach, which the health care nonprofit revealed Friday, affects
more than 4 million patients seen by Advocate Medical Group
physicians, either in a medical office or a hospital, from the early
1990s through July.

Patients began receiving notification letters Saturday informing them
of the July 15 theft of four unencrypted desktop computers from a Park
Ridge administrative office.

Downers Grove-based Advocate said the data includes names, addresses,
dates of birth and Social Security numbers. While full patient medical
records were not on the computers, medical data for some patients also
is at risk, including diagnoses, medical record numbers, medical
service codes and health insurance information.

While the computers were password protected, they were not encrypted,
which would render information unreadable to everyone except
authorized users.

Rachel Seeger, a spokeswoman for the Health and Human Services
Department, said the agency "takes these investigations very
seriously, and since 2009 we have had a track record of taking a
number of very high-profile actions that have sent clear messages to
the industry that we expect full compliance with (data) privacy and
security rules."

The agency, which investigates every data breach that involves more
than 500 people, has collected more than $18.4 million in fines in 16
major cases. Fines are most often levied to health care providers and
other entities that handle patient data in cases where so-called
protected health information is exposed.

In the Advocate case, several categories of data reported as at risk
appear to qualify as protected health data under federal law,
including medical record numbers, health insurance information, Social
Security numbers and other information that could be used for
fraudulent purposes.

Seeger declined to address the Advocate breach in detail, citing an
"active law enforcement investigation."

Maura Possley, a spokeswoman for the Illinois attorney general's
office, said Wednesday that investigators began working the case after
Advocate notified the state of the breach on Aug. 22. She declined to
provide further details of the investigation.

Kelly Jo Golson, an Advocate senior vice president, acknowledged
Wednesday that some of the data at risk qualifies as protected health
information under the law. She also said the sensitive data should not
have been stored on the computers' hard drives. "This type of data
should always be maintained on our secure network," she said.

Advocate is working with several outside experts and consultants to
address the issue. Its efforts include mapping all of its computer and
software systems to identify where patient information is stored and
ensure it is secured, Golson said.

"We understand why patients are anxious and concerned," she said. "We
deeply regret the inconvenience this incident has caused the patients
who have entrusted us with their care."

The computers have not been recovered, and Park Ridge police continue
to investigate the break-in.

Thieves who gain access to this type of data can use it for a variety
of fraudulent purposes, including obtaining credit cards, lines of
credit and false identification cards.

Health data like diagnoses, medical service codes and insurance
information can be used for much larger fraud schemes involving
insurers like Medicare and Medicaid, said Ryan Kalember, chief product
officer at WatchDox Inc., a Palo Alto, Calif.-based software company
that makes data security products.

Criminals can set up fake provider identifications and fraudulently
bill insurance companies or the government for services never
rendered.

"Having someone's insurance information is critical, but having their
(personal health information) itself is very useful in order to make
the fraud more convincing," Kalember said. "These are much more
sophisticated operations that can net much better dollars, and in many
cases it's paid for by us as taxpayers."

There are also, of course, privacy implications.

"If you can find out the health condition of a politician or a CEO,
whether he has HIV, diabetes or terminal cancer, you can commit a
totally different type of fraud," including blackmail and extortion,
said Will Hinde, director of health care strategy and solutions at
West Monroe Partners LLC, a Chicago-based consulting firm. "And once
that information is out, it's out. You can cancel your credit card and
get a new one, but you can't trade in your body."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.