Advocate Health Care Network, the largest fully integrated health care system in Illinois, has agreed to pay $5.55 million for multiple HIPAA violations–the largest settlement against a single entity to date.
This settlement contributes to the $36 million already paid out for HIPAA violations since 2003. Advocate will have to pay the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) for their mishandling of electronic protected health information (ePHI).
The settlement’s large size is due to the extent and duration of Advocate’s noncompliance, the involvement of the State Attorney General in the investigation, and the large number of patients affected by the information breach.
OCR began investigating Advocate in 2013, when the network submitted three breach notification reports affected the ePHI of approximately 4 million patients. The investigation determined that Advocate did not conduct a thorough ePHI risk assessment, implement policies to limit physical access to their data support center, obtain written promises that ePHI would be safe in outside possession, or safeguard an unencrypted laptop that was left in an unlocked vehicle overnight.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said Jocelyn Samuels, director, OCR. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
In an email statement, Advocate Health Care said: “Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts.”
Editor’s Note: This story has been updated to include Advocate’s statement.