Last month, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced two large settlements with covered entities to resolve alleged HIPAA violations. However, even the $2.7 million and $2.75 million settlements at OHSU and UMMC were small in comparison to the latest enforcement action.
OCR has just announced it has agreed to the largest ever HIPAA settlement with a single covered entity. Advocate Health Care Network will pay a record $5.55 million to settle multiple potential violations of the Health Insurance Portability and Accountability Act. The previous record was the $3.5 million settlement with Triple S Management Corporation agreed in November 2015.
As a direct result of HIPAA failures, Advocate Health experienced one of the largest ever reported healthcare data breaches, impacting 4,029,530 patients. The breach involved the theft of four desktop computers from Advocate Medical Group’s administrative buildings in Park Ridge, Illinois on July 15, 2013. Two subsequent breaches were also reported to the OCR within three months of the 4-million+ record breach (which was subsequently amended to 3,994,175 records). Those incidents impacted 2,029 and 2,237 individuals respectively.
The huge settlement reflects the severity of the HIPAA violations and the length of time that those violations were allowed to persist. Some of the alleged violations date back to the inception of the HIPAA Security Rule.
Not only did the breach impact a huge number of patients, it also resulted in highly sensitive data being exposed. The breach exposed demographic data, clinical data, health insurance information, payment card details, names, addresses, and dates of birth.
OCR investigated the breach in 2013, as did the Illinois State Attorney General. OCR investigators once again uncovered one of the commonest violations of HIPAA Rules – the failure to conduct a comprehensive, organization-wide risk assessment. OCR investigators also uncovered a catalogue of HIPAA failures while investigating the breaches at Advocate Health. OCR determined that Advocate Health had failed to implement policies and procedures to control physical access to ePHI stored in its Touhy data support center, which contributed to the cause of the 3,994,175 record breach.
Advocate Health failed to obtain assurances from a business associate (Blackhawk Consulting Group) that ePHI would be appropriately safeguarded prior to disclosing 2,027 records. OCR also determined that Advocate Health failed to reasonably safeguard an unencrypted laptop computer containing 2,237 records. The laptop was stolen from an unlocked vehicle, where it had been left overnight.
In addition to the $5.5 million HIPAA settlement, Advocate Health is also required to adopt a corrective action plan to address all HIPAA failures. The CAP will last for a period of two years.
When announcing the breach, OCR Director Jocelyn Samuels said “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ electronic protected health information is secure.”
In the past two years, settlements have been reached with the following covered entities following the discovery of risk assessment failures. Oregon Health & Science University ($2.7 million); North Memorial Health Care of Minnesota ($1.55 million); University of Washington Medicine ($750,000); HIPAA Settlement with Triple-S Management Corporation ($3.5 million); and Cancer Care Group, P.C. ($750,000).