The information of patient at compromise included names, addresses, dates of birth, credit card numbers with expiration dates, demographic information, clinical information and health insurance information.
Advertisement
The fines stem from three separate security breaches of electronic medical records in the summer of 2013 that the 12-hospital system self-reported, and represent the largest single HIPAA-related levy against a single entity, according to HHS’s Office for Civil Rights. In November, Advocate reported to OCR that an unencrypted laptop with the PII of a further more 2,200 patients was stolen from an Advocate Medical Group employee’s auto.
While OCR hit Advocate hard in its enforcement action, an IL appellate court in August 2015 upheld the dismissal of two breach-related lawsuits filed against the health system (see Advocate Health Ruling: The Impact).
Privacy attorney Kirk Nahra of the law firm Wiley Rein says that while the settlement appears to focus on compliance issues, such as failure to conduct risk analysis, that are frequently highlighted by the enforcement agency, the OCR breach investigations likely uncovered egregious violations.
This story, “Illinois hospital chain to pay record $5.5M for exposing data about millions of patients” was originally published by Computerworld.
After conducting an investigation, the OCR concluded that Advocate failed to assess the risks of its ePHI, restrict physical access to its IT systems, receive written record that its associates would protect Advocate’s ePHI and guard an unencrypted laptop while it was in an unlocked auto overnight.
Jocelyn Samuels, HHS’ Office for Civil Rights director, said in a news release she hopes the settlement “sends a strong message” about the importance of comprehensive risk analysis and management to ensure electronic health information is secure.
“The policies shall identify criteria for the use of such hardware and electronic media and procedures for obtaining authorization for the use of personal devices and media that utilize Advocate ePHI systems”, the CAP states. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to in all physical locations and on all portable devices to a reasonable and appropriate level”. “We continue to cooperate fully with the government to advance our patient privacy protection efforts”.
A breach involving Blackhawk Consulting Group, a business associate which provides billing services to Advocate.
Developing an enhanced privacy and security awareness training program. “It’s collected and combined by the bad guys into a vast data set of consumer data, which is extremely useful to today’s fraudsters to thwart existing online security and identify verification systems”.
Advertisement
“I don’t think we even reached anywhere near the peak of the curve with the problem healthcare has with data security”, says Rick Kam, president and co-founder of ID Experts, a developer of software and for managing cyber risks and data breaches.
