Biggest Ever HIPAA Agreement: Advocate Health to Reimburse OCR $5.5 Million

Previous month, the Department of Health and Human Services’ OCR publicized 2 huge agreements with protected entities to settle suspected HIPAA breaches. Nevertheless, even the $2.7 million, as well as, $2.75 million settlements at UMMC and  OHSU  were not big as compared to the latest implementation case.

OCR has just publicized it has consented to the biggest ever HIPAA agreement with a single protected body. Advocate Health Care Network will reimburse a highest $5.55 million to resolve many possible breaches of the Health Insurance Portability and Accountability Law. The earlier highest was the $3.5 million agreement with Triple S Management Corporation settled in November, 2015.

As a direct consequence of HIPAA negligences, Advocate Health faced one of the largest ever reported healthcare data breaches, affecting 4,029,530 patients. The break included the thievery of 4 desktops from Advocate Medical Group’s managerial structures in Illinois on July 15, 2013. Two succeeding breaks were also informed to the OCR within 3 months of the 4-million+ highest break (which was later modified to 3,994,175 files). Those cases affected 2,029 and 2,237 people respectively.

The massive payment mirrors the gravity of the HIPAA breaches and the duration of time that those breaches were permitted to continue. A few of the suspected breaches date from the start of the HIPAA Safety Law.

Not just did the break affect a massive number of sick persons, it also led to extremely confidential files being revealed. The break revealed names, addresses, dates of birth clinical data, demographic data, payment card details, and health insurance information.

OCR probed the break in 2013, as was done by the Illinois State Attorney General. OCR examiners again exposed one of the commonest breaches of HIPAA Laws – the failure to carry out a thorough, organization-wide risk evaluation. OCR examiners also discovered a list of HIPAA failures while probing the breaks at Advocate Health. OCR concluded that Advocate Health had not implemented procedures and policies to manage bodily access to ePHI saved in its Touhy files backup center that aided to the source of the 3,994,175 record break.

Advocate Health did not get guarantees from a BA (Blackhawk Consulting Group) that ePHI would certainly be suitably protected before revealing 2,027 files. OCR also concluded that Advocate Health didn’t reasonably protect an unencrypted laptop having 2,237 files. The laptop was thieved from an unlocked automobile, where it had been abandoned during the night.

Besides the $5.5 million HIPAA agreement, Advocate Health is also needed to implement a remedial action strategy to tackle all HIPAA failures. The Corrective Action Plan will last for a duration of 2 years.

When publicizing the break, Jocelyn Samuels, OCR Director said, “We expect this agreement sends a solid message to protected bodies that they should involve in a complete risk management and risk analysis to make sure that people’s electronic safeguarded health information is safe.”

In the last 2 years, agreements have been achieved with the following protected bodies after the detection of risk evaluation failures. Cancer Care Group, P.C. ($750,000), HIPAA Settlement with Triple-S Management Corporation ($3.5 million), University of Washington Medicine ($750,000), North Memorial Health Care of Minnesota ($1.55 million), and Oregon Health & Science University ($2.7 million).

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.