OCR hits Advocate Health Care with $5.55 million HIPAA fine

Editor's Note: Post updated to include Advocate statement.

Advocate Health Care Network has agreed to pay $5.55 million in penalties in a settlement with the Health and Human Services Department's Office for Civil Rights, the largest HIPAA enforcement action yet against a single entity.

The fine is the result of three breaches that Advocate Health Care Network, the largest integrated healthcare system in Illinois, reported in 2013, OCR announced Thursday. The health system reported the theft of four desktop computers containing the ePHI of approximately 4 million patients.

OCR levied the hefty penalty due to the extent and duration of the alleged noncompliance, the fact that the state attorney general conducted a corresponding investigation and the large number of patients affected.

Among OCR’s findings against Advocate:

  • It failed to fully assess the potential risks and vulnerabilities to its patient data.
  • It did not apply proper security policies and procedures.
  • It failed to implement physical access controls at a large data support center.
  • It did not obtain security agreements with its business associates.

In a statement sent to FierceHealthIT, Advocate said it has enhanced its data encryption measures to prevent this type of incident from reoccurring.

"While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients," the statement said. "We continue to cooperate fully with the government to advance our patient privacy protection efforts."

OCR levied almost $15 million in fines in the first six months of 2016, including a $3.9 million fine against Feinstein Institute for Medical Research in March, the previous largest against a single organization. In 2015, OCR levied $6.2 million in fines, total.

To learn more:
- here's the OCR announcement
- read the resolution agreement