Skip to main content

All Access Subscription

Get unlimited access to our full publication and article library.

Get Access Now

Interested in Group Sales? Learn more

HIPAA Update

Health System Agrees to Largest Settlement to Date

In the largest settlement of its kind, Illinois healthcare system Advocate Health agreed to pay $5.5 million and develop a corrective action plan to settle HIPAA violations due to data breaches. The violations include data protection violations related to electronic protected health information (ePHI) that have occurred over the past three years.

According to the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR), the massive settlement was due to the extent and duration of the hospital system’s noncompliance with data security laws, and the number of patients affected. The security lapses affected four million patients and included patient names, insurance information, credit card numbers, addresses, clinical information, and dates of birth.

The investigations began in 2013 when Advocate Health submitted three breach notifications to OCR, including a breach that involved unauthorized access to 2,000 patient records by a third-party billing partner, and another that included theft of desktop computers containing four million patient records from an Advocate administrative office. The OCR investigation revealed Advocate Health did not conduct a thorough assessment of risks and vulnerabilities in the system; did not implement policies and procedures; failed to implement reasonable safeguards involving an unencrypted, stolen laptop; and did not ensure that third-party business associates would provide safeguards for ePHI.

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels in a statement. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”