This month marked the largest HIPAA settlement to-date for a single entity. Advocate Health Care Network (“Advocate”) agreed to pay $5.5 million and adopt a corrective action plan after an investigation by the Department of Health and Human Services’ Office for Civil Rights (“OCR”) revealed that Advocate’s widespread noncompliance with the requirements of HIPAA affected the protected health information (“PHI”) of four million individuals.

OCR’s investigation into Advocate began in 2013 after its subsidiary, Advocate Medical Group (“AMG”), reported three separate data breaches. AMG reported: (i) a laptop computer stolen from an AMG office building, (ii) unauthorized access into a business associate’s computer network, and (iii) an unencrypted laptop taken from an employee’s unlocked vehicle. In combination, the three data breaches compromised the names, addresses, credit card information, clinical information, and health insurance information of four million individuals.

OCR began an investigation into Advocate as a result of these breaches. OCR’s investigation revealed that Advocate failed to:

  • conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its electronic PHI (“ePHI”);
  • implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
  • obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
  • reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

In response to the record-breaking settlement, OCR Director Jocelyn Samuels said, “[w]e hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”

This settlement is yet another illustration of OCR’s increasingly aggressive approach to HIPAA enforcement. Not only has OCR been active in bringing enforcement actions when ePHI is compromised, but OCR has also cracked down on HIPAA compliance through the commencement of its HIPAA compliance audits.

To read more about OCR’s compliance audits, click here.

To read a full copy of Advocate’s Resolution Agreement and Corrective Action Plan, click here.

To read a copy of the Advocate press release, click here.