Health Law Daily Advocate pays $5.55M to resolve fallout from data breach
Friday, August 5, 2016

Advocate pays $5.55M to resolve fallout from data breach

By Bryant Storm, J.D.

Advocate Health Care Network (Advocate) agreed to pay $5.55 million to settle HHS Office for Civil Rights (OCR) allegations that Advocate violated the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) as a result of data breaches that affected the electronic protected health information (ePHI) of approximately 4 million individuals. The size of the settlement—which is the largest to-date against a single entity—is due to the scope of the alleged noncompliance, dating back to three 2013 breaches (Settlement Agreement, July 8, 2016).

Breaches. The settlement arose from an HHS OCR investigation into three breach notification reports submitted by Anthem. The breaches resulted from (1) the theft of four desktop computers containing the ePHI of 3,994,175 individuals; (2) the unauthorized third-party access of a business associate’s network; and (3) the theft of an Advocate employee’s unencrypted laptop (see Lawsuit filed in Advocate Health information breach affecting 4 million patient records, September 9, 2013).

Investigation. The OCR investigation revealed that Anthem failed to: (1) conduct an accurate risk assessment regarding vulnerabilities to ePHI; (2) implement policies and procedures to limit physical access to the electronic information systems; (3) obtain satisfactory assurances that business associates would safeguard all ePHI; and (4) reasonably safeguard an unencrypted laptop.

Settlement. In addition to the $5.55 million payment, as a condition of the settlement, Advocate agreed to adopt a corrective action plan to prevent future breaches. Under the corrective action plan, Advocate is obligated to modify its existing risk analysis procedures to better understand the threats to ePHI. Additionally, Advocate must develop a risk management plan to address and mitigate any of those risks to ePHI. The plan also requires that Advocate develop an encryption report describing the status of Advocate’s device encryption. Other obligations under the corrective action plan include requirements to develop enhanced media and facility controls to prevent future thefts.

Companies: Advocate Health Care Network

MainStory: TopStory AuditNews CyberPrivacyFeed EHRNews HITNews HIPAANews RiskNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More