4 Million Patient Records Stolen in Second Largest HIPAA Data Breach

Advocate Health Care marks the second largest HIPAA data breach since the breach notification rule was implemented in 2009, losing more than 4 million patient records in a theft of four unencrypted computers. The data included personally identifiable patient information as well as clinical data, including diagnoses and health insurance information.

Advocate Health Care marks the second largest HIPAA data breach since the breach notification rule was implemented in 2009, losing more than 4 million patient records in a theft of four unencrypted computers. The data included personally identifiable patient information as well as clinical data, including diagnoses and health insurance information.

A senior vice president from Advocate acknowledged that the sensitive data shouldn’t have been stored on the computers’ hard drives, but instead maintained on their secure network. One of the steps they’re taking toward remediation includes mapping its computer and software systems in order to identify where patient data is stored, and how to secure it. This is also one of the first steps that should be taken toward data encryption – classifying sensitive data and then selecting a proper encryption method is next.

One way to keep data protected on secure networks is by using SAN (storage area network) disk-level encryption that encrypts the data as it’s written to disk. With an enterprise-class private cloud, your compute, memory and disk performance is completely dedicated to your organization – no sharing of resources.

Encryption of data at rest and in transit is highly recommended to meet HIPAA standards §164.312(a)(2)(iv) and §164.306(e)(2)(ii) for encryption of electronic protected health information (ePHI) anywhere data is also stored or archived as backups.

If you’re a healthcare organization seeking an encrypted data and application hosting solution, ask your HIPAA cloud hosting provider if they are able to provide encryption, and if they provide encrypted offsite backup. Without encryption, your data may be at risk if accessed by unauthorized users, and you are subject to the HIPAA Breach Notification Rule that requires public notification for data breach affecting over 500 individuals.

However, encryption can’t do it all – for a layered security approach, consider enlisting other data security tools such as File Integrity Monitoring (FIM), a Web Application Firewall (WAF), Daily Log Review and other technical security services.