Health Care System to Pay Largest Data Breach Settlement Ever

Advocate Health Care cost for potential HIPAA violations is nearly $6 million

Aliah D. Wright By Aliah D. Wright August 9, 2016

Advocate Health Care Network has agreed to a $5.5 million settlement with the U.S. Department of Health and Human Services (HHS) for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI), according to a press release from HHS announcing the settlement.

News reports are calling the settlement one of the largest to date for a single entity. The data of 4 million patients were exposed as a result of three separate incidents in 2013.

The stolen data included "demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth," the press release stated. There have been no reports that individuals' identities have been stolen or that information has been misused.

By failing to safeguard patient data, Advocate violated federal patient privacy law, HHS determined after an investigation.

"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure," said Jocelyn Samuels, director of the HHS Office for Civil Rights, in a news release.

"This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level."

Illinois-based Advocate Health Care Network operates a dozen hospitals and more than 200 additional treatment facilities.

According to news reports, the first breach occurred on July 15, 2013, when thieves stole four desktop computers. Those computers contained the records of nearly 4 million patients from an office belonging to the network's subsidiary, Advocate Medical Group (AMG) in Park Ridge, Ill.

In the second breach, which occurred between June 30 and Aug. 15, 2013, hackers accessed the network of an organization that supplies billing services to AMG. That may have compromised the health records of more than 2,000 AMG patients, according to the release.

Lastly, according to the agreement, on Nov. 1, 2013, an unencrypted laptop which contained the patient records of more than 2,230 people was stolen from a vehicle that belonged to an AMG employee.

While Advocate has admitted no wrongdoing, the HHS Office for Civil Rights stated in the press release that Advocate failed to:

  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI.
  • Implement policies and procedures, as well as facility access controls, to limit physical access to the electronic information systems housed within a large data support center.
  • Obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession.
  • Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

    In a statement, Advocate called protecting its patients' confidentiality and privacy an important priority and said it would fully cooperate with the government to enhance its data security.

    "As all industries deal with the ever-evolving digital landscape and the impact it has on security, we've enhanced our data encryption measures to prevent this type of incident from reoccurring," the health system stated.

"While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients."


Job Finder

Find an HR Job Near You
Search Jobs


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.