IBM Distributes Virus-Infected USB Drives at Security Conference
Are Flash Privacy Vulnerabilities Important to the Average Online User?

AvMed Breach Affects 1.2 Million Florida Residents

A data breach in December 2009 at AvMed Health Plans included the theft of the Social Security numbers, names, addresses, birth dates, and health records of both current and former AvMed subscribers. Two laptop computers containing the records were stolen from the company's Gainesville office in December.

360,000 breach victims were notified in February and on June 3 the company announced that it is notifying an additional 860,000 breach victims. AvMed is offering breach victims two years of free credit monitoring service with the Debix Identity Protection Network. Breach victims requiring more information can visit the AvMed website contact Debix at 1-877-441-3004 (TTY: 877-442-8633). Breach victims that want the Debix coverage must register.

Breach victims should visit the Florida Attorney General' website for more information about identity theft and steps to take if their medical or personal information is used fraudulently by criminals. The Florida AG advises victims of fraud to:

  1. Report the incident to the fraud department of the three major credit bureaus
  2. Contact the fraud department of each of your creditors
  3. Contact your bank or financial institution
  4. Report the incident to law enforcement

Breach victims can get a free copy of their credit reports from the three credit bureaus at Since this breach involves medical information, breach victims should obtain a copy of their medical records from their AvMed physician and review it for fraudulent entries.

After a data breach with 1.5 million records stolen, in 2009 Health Net selected Debix as the complimentary credit monitoring service for its breach victims.

Is the health care industry doing a good job at protecting patients' medical information? I think not. Data breaches at health care companies are more common than many consumers and patients realize.

According to the Privacy Rights Clearinghouse, recent health care breaches:

  • June 2010: Safe Harbor Med Santa Cruz, California)
  • May 2010: Aetna (South Windsor, Connecticut)
  • May 2010: Loma Linda University Medical Center (Loma Linda, California)
  • May 2010: New Mexico Medicaid (Santa Fe, New Mexico)
  • May 2010: Millennium Medical Management Resources (Westmont, Illinois)
  • April 2010: St. Jude Heritage Medical Group (Orange, California)
  • April 2010: The Medical Center (Bowling Green, Kentucky)
  • April 2010: Hutcheson Medical Center and one other medical facility (Chattanooga, Tennessee)
  • April 2010: DRC Physical Therapy Plus (Monticello, New York)
  • April 2010: Affinity Health Plan (Bronx, New York)
  • April 2010: Massachusetts Eye and Ear Infirmary (Boston, Massachusetts)
  • April 2010: Brooke Army Medical Center (San Antonio, Texas)
  • April 2010: St. Peter's Hospital (Albany, New York)
  • April 2010: Virginia Beach Dept. of Social Services (Virginia Beach, Virginia)
  • April 2010: ManorCare Health Services (Wheaton, Maryland)
  • April 2010: St. Francis Hospital (Tulsa, Oklahoma)
  • April 2010: Providence Hospital (Southfield, Michigan)
  • April 2010: John Muir Physician Network (Walnut Creek, California)
  • March 2010: Northwestern Medical Faculty Foundation (Chicago, Illinois)
  • March 2010: University of Calgary Sunridge Medical Clinic (Calgary, California)
  • March 2010: Atlanta Veterans Affairs Medical Center (Atlanta, Georgia)
  • March 2010: UT Southwestern Medical Center (Dallas, Texas)
  • March 2010: The Open Door Clinic of Greater Elgin (Elgin, Illinois)

Whenever I read about a large breach including laptop computers, I wonder why firms and their employees insist on storing so many records on a single computer. It raises the question about whether AvMed properly trained its employees with effective data security practices.

I read AvMed's February and June press releases. Neither press release mentioned whether or not the stolen information was encrypted. Breach victims have to assume the worst: nothing was encrypted. This makes one wonder why the company didn't encrypt sensitive information.

And while the company claims that the risk of identity fraud is low, the fact is that using the types of information stolen, criminals can assume breach victims' identities, apply for credit in breach victims' names, and apply for health care fraudulently using breach victims' medical information.


Feed You can follow this conversation by subscribing to the comment feed for this post.

Janice Taylor-Gaines

Great article highlighting the need for everyone to have a much higher computer/data security awareness. Check a (free) blog, "The Business-Technology Weave" (can Google to it) - it reflects what this article is saying. The majority of breaches are due to human error, therefore awareness and common sense are key, in supporting all necessary best practices. The blog author also has a book we use at work, "I.T. WARS" (you can Google that too). It has a great Security chapter, and others that treat security. Highly recommended. Great stuff.

Mister Reiner

"...I wonder why firms and their employees insist on storing so many records on a single computer."

The simple answer is: Because they can.

It never ceases to amaze how incredibly uninformed the medical community is about information security. I believe the root of the problem is that information technology in medical environments isn't being regulated or certified to be HIPAA complaint.


This is just crazy!! I haven't been insured with AvMed for over 12 years, yet my data was stored on one of those laptops...How can this be??? I work in the cc industry and sensitive data more than 3 years old is moved to tape drives and held at an offsite storage the heck are they allowed to keep Data over 10 years old locally on laptops in the office??? this is mind boggling!!



I share your frustration. Companies retain our sensitive personal data for long periods of time.

When I.B.M. Corporation had its data breach in 2007, it exposed my sensitive personal data even though I never worked for I.B.M. Corporation. I.B.M. Corporation acquired my sensitive personal data when it acquired Lotus Development Corporation in 1995. I'd left Lotus in 1991.

The companies, or more accurately their lawyers, will tell you that they retain our data due to the myriad of federal and state laws. Some of this is valid because you may have a retirement account with a former employer.

At a minimum, this data should be encrypted. And you are correct, so many files should never be downloaded and stored on a single computer or laptop. Doing that is a poor data security habit.

This is one reason why I firmly advocate for long periods of free credit monitoring after a breach. Companies are storing our data for long periods and the risk of ID-theft and fraud doesn't magically end after 1 or 2 years of free credit monitoring.


Account Deleted

Is the health care industry doing a good job at protecting patients' medical information? is it? I believe the root of the problem is that information technology in medical environments isn't being regulated or certified to be HIPAA complaint.right?

Neil Asher Scam

Good article because fulfills needs


I dropped AvMED three years ago and just got a billing invoice in the mail for coverage from July 1,2010-July 31,2010.Probably a phishing trip to get me to call them,or wrong I am to asume that.



My advice: look into your situation. Get a copy of your medical records. Review all EOBs (Explanation of Benefits) that you receive via snail mail. Look for fraud. Then get an attorney/resolution service to help you. Maybe also check the Identity Theft Resource Center for tips. Read this blog post for additional suggestions to protect yourself:
7 Tips To Protect Your Medical Records

Let us know what happens.


Credit Repair Services

I believe the root of the problem is that information technology in medical environments isn't being regulated or certified to be HIPAA complaint.

The comments to this entry are closed.