Advocate Health Care Network, one of the nation’s largest health systems, has agreed to pay a $5.5 million fine over breaches that exposed the data of more than 4 million patients in 2013.
The fine is the largest HIPAA enforcement settlement against a single entity to-date, which the Department of Health and Human Services’ Office for Civil Rights (OCR) said was “a result of the extent and duration of the alleged noncompliance.”
In a statement released on Thursday, OCR Director Jocelyn Samuels said:
“We hope this settlement sends a strong message to covered entities that they must engage in comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”
“This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level,” added Samuels.
In 2013, Advocate submitted three breach notification reports related to separate incidents involving its subsidiary, Advocate Medical Group.
The compromised electric patient data included demographic location, clinical information, health insurance information, names, addresses, dates of birth, and credit card numbers, as well as expiration dates.
Following an extensive investigation, OCR revealed Advocate had failed to:
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
- Implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
- Obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
- Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
In addition to the $5.5 million fine, Advocate has also agreed to corrective action plan, which includes implementing a risk management plan; implementing processes for evaluating environmental and operational changes; and developing an enhanced privacy and security awareness training program, among other duties.
In response to the settlement, Advocate released the following statement:
“Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring.”
The Chicago-based healthcare system is the largest in Illinois, operating 12 hospitals and over 250 other treatment locations.