It is the largest fine for a single entity, stemming from three separate breaches the electronic health records of more than 4 million patients.
Chicago-based Advocate Health Care Network will pay $5.55 million in fines for multiple potential violations of the Health Insurance Portability and Accountability Act that potentially jeopardized the electronic health records of more than 4 million patients, the Department of Health and Human Services announced Thursday.
The fines stem from three separate security breaches of electronic medical records in the summer of 2013 that the 12-hospital system self-reported, and represent the largest single HIPAA-related levy against a single entity, according to HHS's Office for Civil Rights.
Two of the data breaches involved potential access to unencrypted health records taken from stolen laptop computers, and a third involved the potential unauthorized access to patient records through a third-party consultant.
Related: Living in the Healthcare Data Breach Era
"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' (electronic protected health information, ePHI) is secure," OCR Director Jocelyn Samuels said in remarks accompanying the settlement.
"This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level."
The agreement is not an admission of liability by Advocate, nor a concession by HHS that Advocate is not violating HIPAA rules and is not liable for civil penalties, the settlement states.
Advocate issued this statement: "Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we've enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts."
Cyber Attack Puts Banner Health Patients at Risk
In an unrelated case, Phoenix-based Banner Health announced a cyber attack of the health system's food and beverage outlets in June and July that jeopardizes the credit card and personal data of 3.7 million employees, patients and patrons.