ARTICLE
9 August 2016

Illinois Health System In Largest-Ever HIPAA Settlement

DP
Day Pitney LLP

Contributor

Day Pitney LLP logo
Day Pitney LLP is a full-service law firm with more than 300 attorneys in Boston, Connecticut, Florida, New Jersey, New York and Washington, DC. The firm offers clients strong corporate and litigation practices, with experience on behalf of large national and international corporations as well as emerging and middle-market companies. With one of the largest individual clients practices on the East Coast, the firm also has extensive experience assisting individuals and their families, fiduciaries and tax-exempt entities plan for the future.
Explore Firm Details
Advocate Health Care Network, the largest health system in Illinois, has agreed to pay $5.55 million to settle allegations of multiple potential HIPAA violations arising out of three separate data breaches that it reported in 2013.
United States Food, Drugs, Healthcare, Life Sciences
Person photo placeholder
Authors

Advocate Health Care Network, the largest health system in Illinois, has agreed to pay $5.55 million to settle allegations of multiple potential HIPAA violations arising out of three separate data breaches that it reported in 2013. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced the settlement on August 4.

Advocate operates 12 hospitals and more than 200 other treatment locations in Illinois, and its subsidiary Advocate Medical Group (AMG) includes more than 1,000 physicians. The first data breach involved the theft of four desktop computers, containing the electronic protected health information (ePHI) of about 4 million people, from an AMG administrative office. In the second breach, an unauthorized person accessed the network of a company that provides billing services to AMG, and in the third an unencrypted laptop was stolen from an AMG employee's unlocked car.

OCR's investigation found that Advocate, among other things, failed to conduct a thorough assessment of the potential risks and vulnerabilities to its ePHI and failed to implement policies and procedures and facility access controls to limit physical access to its and its business associates' computer systems. OCR said that the size of the settlement was based on the extent and duration of Advocate's noncompliance with HIPAA, as well as the number of patients affected by the security violations.

In OCR's press release, OCR Director Jocelyn Samuels said, "We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level."

In addition to the $5.5 million payment, Advocate must comply with a corrective action plan which requires a full risk assessment, updated policies and procedures, workforce training and periodic reports to HHS.

Click here for more Healthcare Blogs from Day Pitney

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Day Pitney LLP
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More