Downers Grove, Ill.-based Advocate Health Care has agreed to pay $5.55 million to HHS' Office for Civil Rights to settle claims that it violated HIPAA.
The settlement is the biggest to-date HIPAA payment involving one entity.
The allegations against Advocate, the largest system in Illinois, involve electronic protected health information. In 2013, the OCR launched an investigation after Advocate submitted three different data breach reports on behalf of its subsidiary, Advocate Medical Group. In total, the breaches comprised the ePHI of 4 million individuals and included their names, demographic information, addresses, credit card numbers, dates of birth, clinical information and health insurance information.
The problems began in August 2013, when four laptops containing patient information were taken from an Advocate office in Park Ridge, Ill., during a burglary. Later that summer, an outside party accessed an Advocate business associate's network, which potentially compromised 2,000 patients' information. More than 2,000 more patients' information was stolen in November 2013 when a laptop was stolen from an Advocate employee's vehicle.
After conducting an investigation, the OCR concluded that Advocate failed to assess the risks of its ePHI, restrict physical access to its IT systems, receive written record that its associates would protect Advocate's ePHI and guard an unencrypted laptop while it was in an unlocked car overnight.
"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure," said Jocelyn Samuels, director of the OCR. "This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level."
In a statement, Advocate Health Care said, "Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we've enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts."