Advocate Health Care has agreed to pay $5.55 million to settle multiple potential data protection violations over the past three years, marking the largest Health Insurance Portability and Accountability Act settlement HHS has ever received.
HHS' Office for Civil Rights said the massive settlement was due to the extent and duration of the Downers Grove, Ill.-based health system's alleged noncompliance with data security laws, as well as the number of patients affected by security violations involving patients' protected health information.
The agency started investigating Advocate's data security issues in 2013 after it received three breach notification reports in four months. The security lapses affected about 4 million patients.
Ultimately, HHS found that Advocate failed to accurately assess potential risks to its information technology systems and ensure that it and its business associates had adequate protections in place.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure,” said Office for Civil Rights Director Jocelyn Samuels, referring to electronic protected health information.
Under the terms of the settlement, Advocate will conduct a full risk assessment and create HHS-approved plans to secure its IT systems that handle personally identifiable patient data.
Advocate said in a statement last week that protecting its patients' privacy and confidentiality is a top priority and it will fully cooperate with the government to enhance its data security.
The Advocate system includes 12 acute-care hospitals and more than 250 treatment locations, making it the largest fully integrated healthcare system in Illinois, according to HHS.
HHS has been scoring settlements in HIPAA cases recently, including a $2.75 million settlement with the University of Mississippi Medical Center in Jackson and a $2.7 million deal with Oregon Health & Science University, Portland.