Advocate Health to pay largest HIPAA settlement

From the original article:

Advocate Health Care has agreed to pay $5.55 million to settle multiple data protection violations over the past three years, marking the largest Health Insurance Portability and Accountability Act settlement HHS has ever received.

HHS’ Office for Civil Rights said the massive settlement was due to the extent and duration of the Downers Grove, Ill.-based health system’s noncompliance with data security laws, as well as the number of patients affected by the security violations involving patients’ protected health information.

The agency started investigating Advocate’s data security issues in 2013 after it received three breach notification reports in four months from the health system. All in all, the security lapses affected approximately 4 million Advocate patients.

Ultimately, HHS’ Office for Civil Rights found that Advocate failed to accurately assess potential risks to its information technology systems and ensure that it and its business associates had adequate protections in place.

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said Office for Civil Rights Director Jocelyn Samuels, referring to electronic patient health information. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

HHS has been actively scoring settlements in HIPAA cases recently, including a$2.75 million settlement with the University of Mississippi Medical Center in Jackson and a $2.7 million deal with Oregon Health & Science University, Portland, within days of each other in July.


iMARSMED has created a free set of tools that can bring HIPAA compliancy to your practice – Data protection and security, HIPAA email & messaging, HIPAA file sharing, Scheduling and appointment reminders, etc.


Leave a Reply