Health System Agrees to Largest HIPAA Fine Against a Single Entity
A Chicago-based healthcare system agreed to the largest HIPAA settlement fine against a single entity, HHS announced August 4. Advocate Health Care Network will pay $5.55 million to settle three separate HIPAA breaches reported in 2013. The breaches affected a total of 4 million individuals and the protected health information (PHI) included:
- Clinical information
- Credit card information
- Demographic information
- Health insurance information
- Patient names, addresses, and dates of birth
In August 2013, Advocate notified HHS that a breach of unsecured electronic PHI (ePHI) occurred after four desktop computers were stolen from Touhy Support Center, one of the organization’s administrative office buildings. The computers contained the ePHI of 3,994,175 individuals. The following month, Advocate reported another breach of unsecured ePHI affecting 2,027 individuals. The breach occurred when an unauthorized party accessed the network of Blackhawk Consulting Group, a business associate (BA) contracted by Advocate to provide billing services. In November, Advocate experienced another breach of unsecure ePHI when an unecrypted laptop containing the ePHI of 2,237 individuals was stolen from an employee’s car.
The Office for Civil Rights’ investigation revealed widespread noncompliance with HIPAA, in some cases dating back to the implementation of the Security Rule. Advocate did not have a written BA agreement (BAA) with Blackhawk, failed to conduct accurate organizationwide risk analyses, had no policies to limit physical access to data housed in Touhy Support Center, and failed to safeguard ePHI stored on the stolen laptop, according to the corrective action plan.
Advocate is one of the largest health systems in the country and the number of individuals affected by the breaches, the extent and duration of the noncompliance, and the involvement of the Illinois attorney general, factored into the large fine. HHS again took the opportunity to stress the importance of conducting regular, organizationwide risk analyses in its statement.