Illinois’ largest health system will pay more than $5.5 million to settle allegations that it violated patient privacy laws.
The U.S. Department of Health and Human Services said that the settlement with Advocate Health Care is the largest to date from a single entity for potential violations of the Health Insurance Portability and Accountability Act.
The case stemmed from three reports detailing security breaches of electronic protected health information — or eHHI — by Advocate Medical Group, a subsidiary, in 2013.
The Chicago Tribune reported that most of the information was compromised when four laptops were stolen from an office in suburban Chicago. The other incidents involved an unauthorized third party that accessed information through business associate and another laptop stolen from an employee’s vehicle.
HHS officials said that the breaches impacted a total of about 4 million people and potentially disclosed names, addresses, dates of birth, and credit card information, as well as demographic, clinical, and insurance details.
The government alleged that Advocate failed to properly assess the risks to its electronic information, limit access to its systems, ensure security with its business associates, and “reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.”
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” Jocelyn Samuels, director of the HHS Office for Civil Rights, said in a statement.
Advocate did not admit liability and said that that although the information did not appear to be misused, “we deeply regret any inconvenience this incident has caused our patients.”
“As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring,” the provider told the Tribune in a statement.
Filed Under: Industry regulations