In the largest settlement paid for a violation of the Health Insurance Portability and Accountability Act (HIPAA), Advocate Health Care will pay $5.55 million for a breach that led to the exposure of personally identifiable information (PII) of four million patients, according to the Chicago Tribune.
The fine for the violation of the federal patient privacy law comes after an investigation that started in 2013 when Downers Grove, Ill.-based Advocate Health Care, the largest health system in the state, submitted three different data breach reports involving its subsidiary, Advocate Medical Group, to the Office for Civil Rights (OCR), within the U.S. Department of Health and Human Resources.
In one instance, four unencrypted laptops were stolen from an administrative office. Additionally, an unauthorized third party accessed the network of an Advocate business associate, which potentially exposed the PII of another 2,000 patients. In November, Advocate reported to OCR that an unencrypted laptop with the PII of a further more 2,200 patients was stolen from an Advocate Medical Group employee's car.
The OCR determined that Advocate failed to properly assess the risks of its data, didn't reasonably safeguard an encrypted laptop that was left overnight in an unlocked vehicle and it didn't adequately limit access to its information systems.
"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure," said Jocelyn Samuels, director of the OCR, in a statement.
Advocate has agreed to pay the settlement and adopt a corrective action plan.Advocate sent SCMagazine.com the following statement:
Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we've enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts.
