Advocate Health Care Network is the largest hospital chain operator in Illinois, and was recently hit with a fine for violating the information security requirements of the US Health Insurance Portability and Accountability Act (HIPAA). In this case, they exposed approximately 4 Million patient records. How does a trusted organization let this kind of security breach happen?
An investigation began in 2013 as a result of a number of breach notifications by a subsidiary of Advocate. Among the types of data exposed in these incidents were: demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.
The findings of the investigation indicated that the organization failed to adequately:
It’s very likely that the $5.5 Million penalty is actually only a small part of the total cost to the organization from having lax security measures. In this case, the cost of securing their removable media would probably have been a fraction of the penalty assessed to them.
Organizations in any industry must begin to take a realistic look at the real costs of security breaches relative to the cost of implementing good security.
Here’s an article from Computer World on this story.