- Downers Grove, IL-based Advocate Health Care has agreed to pay HHS’ Office for Civil Rights $5.55 million to settle potential HIPAA violations related to electronic protected health information — the largest settlement against a single entity to date.
- The settlement, announced Thursday, stems from three separate breaches involving Advocate’s subsidiary, Advocate Medical Group. The breaches affected about 4 million patients.
- An investigation of the breaches, reported by Advocate in 2013, revealed significant gaps in Advocate’s policies and practices for protecting personal information in its databases.
Specifically, OCR found that Advocate failed to assess the vulnerabilities of its ePHI system, limit access to electronic information systems housed within its data support center, ensure in writing that business associates would safeguard ePHI and “reasonably safeguard” an unencrypted laptop left overnight in an unlocked vehicle.
Under the resolution agreement and corrective action plan, Advocate must conduct a comprehensive risk analysis of its entire ePHI, focusing on potential risks and vulnerabilities to confidentiality, integrity and availability of patients’ information. The network must also develop and implement a risk-management plan to address and mitigate and concerns that arise from the risk analysis.
The CAP also requires Advocate to report on the total number of device and equipment use to access, store, download or transmit ePHI, and update its policies and procedures on device and media controls.
OCR said the unprecedented size of the settlement was the result of the extent and duration of the alleged violations, the involvement of the Illinois attorney general, which is conducting its own investigation, and the large number of people whose information was breached.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” OCR Director Jocelyn Samuels said in a release. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”