• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Advocate Health Care Network Agrees to Pay $5.55 Million to Settle Potential HIPAA Penalties

August 5, 2016 By HIPAA Privacy & Security Team

On August 4, 2016, the Office of Civil Rights (“OCR”) announced that Advocate Health Care Network (“Advocate”), Illinois’ largest fully-integrated health care system, has agreed to pay a record-breaking $5.55 million to settle claims of multiple Health Insurance Portability and Accountability Act (“HIPAA”) violations involving electronic protected health information (“ePHI”).  The substantial settlement stems from the extent and duration of the alleged noncompliance and the large number of individuals whose information was compromised, among other factors.

The OCR initiated its investigation in 2013 after Advocate submitted three breach notification reports relating to separate incidents involving Advocate Medical Group (“AMG”), its nonprofit physician-led medical group subsidiary.  The three breaches involved the ePHI of approximately 4 million individuals and included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and expiration dates, and dates of birth.  After investigating the breaches, OCR found additional problems.  According to the OCR, Advocate had failed to: accurately and thoroughly assess the potential risks and vulnerabilities of its ePHI; implement policies and procedures and facility access controls to prevent unauthorized physical access to electronic information systems located at a data support center; obtain business associate contracts, and secure an unencrypted laptop left in an unlocked vehicle overnight.

OCR Director Jocelyn Samuels stated, “[w]e hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.  This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

Filed Under: Data Breach, Enforcement, Health Privacy, Privacy Tagged With: HIPAA

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.