Not yet a Member?
HR Magazine is highlighting the next generation of HR leaders.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
30+ HR education programs, including 4 NEW programs on hot topics, are available for registration.
Join us in Chicago for the latest trends and technology in talent management, and what to expect in the future.
Advocate Health Care cost for potential HIPAA violations is nearly $6 million
Advocate Health Care Network has agreed to a $5.5 million settlement with the U.S. Department of Health and Human Services (HHS) for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI), according to a press release from HHS announcing the settlement.
News reports are calling the settlement one of the largest to date for a single entity. The data of 4 million patients were exposed as a result of three separate incidents in 2013.
The stolen data included "demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth," the press release stated. There have been no reports that individuals' identities have been stolen or that information has been misused.
By failing to safeguard patient data, Advocate violated federal patient privacy law, HHS determined after an investigation.
"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure," said Jocelyn Samuels, director of the HHS Office for Civil Rights, in a news release.
"This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level."
Illinois-based Advocate Health Care Network operates a dozen hospitals and more than 200 additional treatment facilities.
According to news reports, the first breach occurred on July 15, 2013, when thieves stole four desktop computers. Those computers contained the records of nearly 4 million patients from an office belonging to the network's subsidiary, Advocate Medical Group (AMG) in Park Ridge, Ill.
In the second breach, which occurred between June 30 and Aug. 15, 2013, hackers accessed the network of an organization that supplies billing services to AMG. That may have compromised the health records of more than 2,000 AMG patients, according to the release.
Lastly, according to the agreement, on Nov. 1, 2013, an unencrypted laptop which contained the patient records of more than 2,230 people was stolen from a vehicle that belonged to an AMG employee.
While Advocate has admitted no wrongdoing, the HHS Office for Civil Rights stated in the press release that Advocate failed to:
"While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients."
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
HR Education in a City Near You
SHRM’s HR Vendor Directory contains over 3,200 companies