Hospitals, Health IT

Advocate Health Care to pay record $5.55M HIPAA settlement

The amount is the largest such settlement to date reached with a single organization, according to HHS.

Advocate Health Care Network, the largest health system in Illinois, will pay $5.55 million to settle “potential” HIPAA violations affecting about 4 million people, the U.S. Department of Health and Human Services said Thursday. The amount is the largest such settlement to date reached with a single organization, according to HHS.

As is customary in HIPAA settlements, Downers Grove, Illinois-based Advocate had to agree to a corrective action plan with the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules.

The long-running investigation by OCR began in 2013, after Advocate submitted three breach notifications involving its physician practice, Advocate Medical Group. The breaches compromised electronic data on about 4 million individuals and included patient names, addresses, birthdates, demographic, clinical and insurance records, as well as credit card numbers, OCR said.

An OCR investigation of the breaches found that Advocate was lax in assessing risks to electronic patient data, didn’t fully control physical access to data centers, often lacked proper business associate agreements with vendors and failed to “reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight,” according to a statement.

The agency said that Advocate may have potentially violated federal standards “dating back to the inception” of the HIPAA security rule. That rule was finalized in 2003 and most healthcare entities in the U.S. had to be in compliance by April 21, 2005.

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ [electronic protected health information] is secure,” OCR Director Jocelyn Samuels said in a press release. “This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

In a statement emailed to MedCity News, Advocate said:

Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts.

Advocate, which operates 12 hospitals and hundreds of clinics in the Chicago area and in the central part of the state, remains under investigation by the office of Illinois Attorney General Lisa Madigan, according to CNBC.

Advocate also is in the process of merging with Evanston, Illinois-based NorthShore University HealthSystem. That deal, first announced in September 2014, has been held up in a legal battle with the Federal Trade Commission. The FTC is appealing a federal court ruling from June that the merger could go through.