Not a Member? Get access to HR news and resources that you can trust.
Don't leave the task of calculating total cost of workforce to the finance department.
Is your employee handbook ready for the changing world of work? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
60+ new SHRM Seminar dates in 10 U.S. cities and virtually.
Expand your influence and learn how to become an effective leader -- Join us in Phoenix, AZ, October 2-4, 2017.
Advocate Health Care cost for potential HIPAA violations is nearly $6 million
Advocate Health Care Network has agreed to a $5.5 million settlement with the U.S. Department of Health and Human Services (HHS) for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI), according to a press release from HHS announcing the settlement.
News reports are calling the settlement one of the largest to date for a single entity. The data of 4 million patients were exposed as a result of three separate incidents in 2013.
The stolen data included "demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth," the press release stated. There have been no reports that individuals' identities have been stolen or that information has been misused.
By failing to safeguard patient data, Advocate violated federal patient privacy law, HHS determined after an investigation.
"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure," said Jocelyn Samuels, director of the HHS Office for Civil Rights, in a news release.
"This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level."
Illinois-based Advocate Health Care Network operates a dozen hospitals and more than 200 additional treatment facilities.
According to news reports, the first breach occurred on July 15, 2013, when thieves stole four desktop computers. Those computers contained the records of nearly 4 million patients from an office belonging to the network's subsidiary, Advocate Medical Group (AMG) in Park Ridge, Ill.
In the second breach, which occurred between June 30 and Aug. 15, 2013, hackers accessed the network of an organization that supplies billing services to AMG. That may have compromised the health records of more than 2,000 AMG patients, according to the release.
Lastly, according to the agreement, on Nov. 1, 2013, an unencrypted laptop which contained the patient records of more than 2,230 people was stolen from a vehicle that belonged to an AMG employee.
While Advocate has admitted no wrongdoing, the HHS Office for Civil Rights stated in the press release that Advocate failed to:
"While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients."
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 3,200 companies