On August 23, 2013, Advocate Medical Group (“AMG”), Illinois’s largest health care network, announced that four computers housing the personal information of over four million patients were stolen in the burglary of an administrative building on July 15, 2013. Upon discovering the burglary, AMG immediately notified local police, who are in the process of investigating the incident. AMG has started to notify patients and has also alerted the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”), the Illinois Attorney General, and several insurance companies. AMG has also set up call centers and created a website describing the burglary, the information stolen, and corrective action measures taken to date.
Although the stolen computers did not store electronic medical records, they did house patient demographic information, including Social Security numbers, and limited clinical information, such as treating physicians’ names and diagnoses. Further, although the computers were password protected, information stored on them was not encrypted. Law enforcement has not yet been able to locate the computers or identify the thieves. Due to the nature of the information at risk, AMG is offering affected patients one free year of credit monitoring services, although no evidence of misuse of the stolen information has been detected at this point.
In response to this incident, AMG announced that it is bolstering its data security program. Specifically, it has added a physical security presence to the burglarized location to monitor the site 24 hours a day, 7 days a week. Additionally, AMG has reinforced its data security program with all associates.
Computer thefts continue to be a common cause of breaches of personal information. Even though AMG has not yet been subjected to government fines as a result of this incident, it has undoubtedly spent a significant amount of resources on notifications, corrective action, and publicity. All entities that store sensitive data should consider the AMG burglary as instructive when evaluating the sufficiency of their own data security practices, particularly with regard to computers storing personal information.