Advocate Health Care Network agreed to a record $5.5 million settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), due to multiple potential HIPAA violations with regards to electronic protected health information (ePHI). The settlement required Advocate to also implement a corrective action plan.
This significant settlement, the largest to-date against a single entity, is due to the extent and duration of the alleged violations, an investigation involving the State Attorney General, and the large number of individuals whose information was affected by Advocate.
The investigation began in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). These breaches affected the ePHI of approximately 4 million individuals.
The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to:
- conduct a thorough assessment of risk and vulnerabilities of all of its ePHI.
- implement policies, procedures, and physical safeguards to limit access to it’s data servers which contains valuable and sensitive ePHI.
- obtained BAAs from all of its business associates.
- reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
All of these findings are serious HIPAA violations.
Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois.
To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/ocr.