Advocate Health Care Network, the largest health system in
Illinois, has agreed to pay $5.55 million to settle
allegations of multiple potential HIPAA violations arising out of
three separate data breaches that it reported in 2013. The U.S.
Department of Health and Human Services Office for Civil Rights
(OCR) announced the settlement on August
4.
Advocate operates 12 hospitals and more than 200 other treatment
locations in Illinois, and its subsidiary Advocate Medical Group
(AMG) includes more than 1,000 physicians. The first data breach
involved the theft of four desktop computers, containing the
electronic protected health information (ePHI) of about 4 million
people, from an AMG administrative office. In the second breach, an
unauthorized person accessed the network of a company that provides
billing services to AMG, and in the third an unencrypted laptop was
stolen from an AMG employee's unlocked car.
OCR's investigation found that Advocate, among other things,
failed to conduct a thorough assessment of the potential risks and
vulnerabilities to its ePHI and failed to implement policies and
procedures and facility access controls to limit physical access to
its and its business associates' computer systems. OCR said
that the size of the settlement was based on the extent and
duration of Advocate's noncompliance with HIPAA, as well as the
number of patients affected by the security violations.
In OCR's press release, OCR Director Jocelyn Samuels said,
"We hope this settlement sends a strong message to covered
entities that they must engage in a comprehensive risk analysis and
risk management to ensure that individuals' ePHI is secure.
This includes implementing physical, technical, and administrative
security measures sufficient to reduce the risks to ePHI in all
physical locations and on all portable devices to a reasonable and
appropriate level."
In addition to the $5.5 million payment, Advocate must comply
with a corrective action plan which requires a full risk
assessment, updated policies and procedures, workforce training and
periodic reports to HHS.
Click here for more Healthcare Blogs from Day Pitney
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.