The recent Advocate Medical Group breach underscores the need for more data security technologies to safeguard protected health information (PHI). After four computers were discovered stolen, an investigation determined that patient PHI had been stored on them. While the exact PHI content of the computers is not known, media reports indicate that more than 4 million patient records may have been exposed. 

Questions to consider:

• Were these four computers approved for PHI storage? Typically, it would be considered an unsafe practice to store PHI outside of protected systems. It is likely the data was stored locally as a convenience to end users. Or, perhaps data was moved to these workstations at one time to facilitate an approved business process, but then never removed. Either way, adherence to proper data protection policies should have forbidden the practice of storing PHI on workstations and enforcement technologies, such as data loss prevention (DLP), could have been used to notify the organization that PHI was being stored inappropriately.  

• Why was PHI not encrypted? Encryption technologies are in wide use today. However, are often used only on devices that are most likely to be lost or stolen, such as laptop computers. This breach underscores the need for encryption on any and all devices upon which PHI is stored.

• Why was the specific PHI content and patient record count unknown? DLP enforcement technologies can provide scanning of stored content to detect PHI, including specific content details (patient name, social security numbers, medical record numbers, etc.) as well as the actual number of patient medical records. With the specifics these technologies provide, the healthcare organization could have detailed the number of records and the exact patients so as to possibly limit the number of required breach notifications and overall impact of the breach.