Advocate Health Care has agreed to pay $5.55 million to settle multiple data protection violations over the past three years, marking the largest Health Insurance Portability and Accountability Act settlement HHS has ever received.
HHS' Office for Civil Rights said the massive settlement was due to the extent and duration of the Downers Grove, Ill.-based health system's noncompliance with data security laws, as well as the number of patients affected by the security violations involving patients' protected health information.
The agency started investigating Advocate's data security issues in 2013 after it received three breach notification reports in four months from the health system. All in all, the security lapses affected approximately 4 million Advocate patients.
Ultimately, HHS' Office for Civil Rights found that Advocate failed to accurately assess potential risks to its information technology systems and ensure that it and its business associates had adequate protections in place.
"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure,” said Office for Civil Rights Director Jocelyn Samuels, referring to electronic patient health information. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
HHS has been actively scoring settlements in HIPAA cases recently, including a $2.75 million settlement with the University of Mississippi Medical Center in Jackson and a $2.7 million deal with Oregon Health & Science University, Portland, within days of each other in July.
Under the terms of the settlement, Advocate will conduct a full risk assessment and create HHS-approved plans to secure its IT systems handling protected patient health information.
Advocate said in a statement Thursday that protecting its patients' privacy and confidentiality is a top priority and it will fully cooperate with the government to enhance its data security.
“As all industries deal with the ever-evolving digital landscape and the impact it has on security, we've enhanced our data encryption measures to prevent this type of incident from reoccurring,” the health system said. “While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients.”
In August 2013, Advocate reported the first and largest of the three data breaches to HHS, which involved four unencrypted laptops being stolen. The laptops contained approximately 4 million patient records and was the second-largest medical records breach since HHS OCR started publicly posting large incidents to its “wall of shame.” Two other incidents involving breaches to a business associate's network and Advocate's ePHI system affected approximately 2,000 patients each.
Advocate was sued several times over the August 2013-reported data breach. The first two of those class actions were dismissed by July 2014.
Advocate's health system includes 12 acute-care hospitals and more than 250 treatment locations, making it the largest fully integrated healthcare system in Illinois, according to HHS.