The theft of four computers from a Chicago-area physician group practice may have exposed information on more than 4 million patients.
Advocate Medical Group, in a public statement posted on its website, reports that the burglary of four unencrypted computers was discovered on July 15. An investigation confirmed that the computers contained patient information used by Advocate for administrative purposes. While the statement didn't say how many patients were affected, an Advocate spokesman told local news media more than 4 million may have been affected.
Information on the computers may have included names, addresses, dates of birth, Social Security numbers and certain clinical information, such as diagnoses, medical records numbers, medical service codes and health insurance information, according to the statement. Complete medical records were not on the computers.
If the numbers prove accurate, the breach would be the second largest incident reported since the breach notification rule took effect in September 2009 under the HITECH Act, according to the Department of Health and Human Services' breach tally.
The largest incident involving TRICARE, the military health program and its business associate SAIC, affected 4.9 million individuals in 2011.
Advocate is offering free credit monitoring services to those whose information may have been exposed.
So far, the physician group has no evidence that the computers were stolen for the information they contained, according to the statement. The group is working with local law enforcement authorities in an attempt to find the four devices.
In the wake of the incident, Advocate has enhanced security by adding an around-the-clock security presence at the location that was burglarized and evaluating what other facilities may need similar protections, the statement notes. "We have reinforced our security protocols and encryption program with associates," the statement adds.