On August 4, 2016, the Office of Civil Rights (“OCR”) announced that Advocate Health Care Network (“Advocate”), Illinois’ largest fully-integrated health care system, has agreed to pay a record-breaking $5.55 million to settle claims of multiple Health Insurance Portability and Accountability Act (“HIPAA”) violations involving electronic protected health information (“ePHI”). The substantial settlement stems from the extent and duration of the alleged noncompliance and the large number of individuals whose information was compromised, among other factors.
The OCR initiated its investigation in 2013 after Advocate submitted three breach notification reports relating to separate incidents involving Advocate Medical Group (“AMG”), its nonprofit physician-led medical group subsidiary. The three breaches involved the ePHI of approximately 4 million individuals and included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and expiration dates, and dates of birth. After investigating the breaches, OCR found additional problems. According to the OCR, Advocate had failed to: accurately and thoroughly assess the potential risks and vulnerabilities of its ePHI; implement policies and procedures and facility access controls to prevent unauthorized physical access to electronic information systems located at a data support center; obtain business associate contracts, and secure an unencrypted laptop left in an unlocked vehicle overnight.
OCR Director Jocelyn Samuels stated, “[w]e hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”