Illinois hospital chain to pay record $5.5M for exposing data about millions of patients

Illinois’ largest hospital chain today agreed to pay a $5.5 million fine by the government for lax data security that led to the exposure of more than 4 million electronic patient records.

The fine against Advocate Health Care Network, the largest ever levied under Health Insurance Portability and Accountability Act (HIPAA) regulations, is a result of the “extent and duration of the alleged noncompliance.”

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) began its investigation in 2013, when the healthcare chain submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (AMG).

In some instances, the lax security at one of the nation’s largest hospital chains dates back to the inception of the HIPAA Security Rule, and it included an an investigation by the State Attorney General.

Advocate Health Care Network, which operates 12 hospitals and hundreds of satellite locations, has agreed pay the fine.

Advocate said in a statement that “protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities.”

“As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring,” the statement read. “While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts.”

According to the OCR, Advocate’s breach exposed patient data that included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.

According to the OCR, Advocate failed to:

• Conduct an accurate and thorough assessment of the potential risks and vulnerabilities on all of its electronic protected health information
• Implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center
• Obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all electronic protected health information in its possession
• Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ [electronic information] is secure,” OCR Director Jocelyn Samuels said in a statement. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to [electronic protected health information] in all physical locations and on all portable devices to a reasonable and appropriate level.”