CHICAGO _ Advocate Health Care, a large health care system headquartered in suburban Chicago, will pay $5.55 million to settle allegations it violated federal patient privacy law _ the largest such settlement paid by a single entity.
The settlement with the federal government follows an investigation that began in 2013 when Advocate reported three separate data breaches involving its physician-led medical group subsidiary, Advocate Medical Group. The breaches involved the electronic health information of 4 million people, including medical information, names, credit card numbers and birthdays, among other things.
In July 2013, four unencrypted laptops with personal health information were stolen from an administrative office in suburban Chicago. Also that summer, an unauthorized third party accessed the network of an Advocate business associate, potentially compromising the information of more than 2,000 patients. Then in November, Advocate told the U.S. Department of Health and Human Services' Office for Civil Rights that an unencrypted laptop with personal information of more than 2,200 individuals was stolen from the vehicle of an Advocate Medical Group employee.
HHS' Office for Civil Rights investigated the breaches and found that Advocate failed to properly assess the risks related to the data. It also found Advocate didn't reasonably safeguard an encrypted laptop left in an unlocked vehicle overnight and it didn't adequately limit access to its information systems.
Advocate, which did not admit any liability, said in a statement Thursday: "While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients.
"As all industries deal with the ever-evolving digital landscape and the impact it has on security, we've enhanced our data encryption measures to prevent this type of incident from reoccurring," Advocate said.
Advocate has 11 hospitals and a two-campus children's hospital.
Jocelyn Samuels, HHS' Office for Civil Rights director, said in a news release she hopes the settlement "sends a strong message" about the importance of comprehensive risk analysis and management to ensure electronic health information is secure.
The Office for Civil Rights said the settlement is a result of the "extent and duration" of the alleged noncompliance with the Health Insurance Portability and Accountability Act, as well as the involvement of the Illinois attorney general in the matter, and the large number of people affected.
The Illinois attorney general's investigation into the breaches is also close to a resolution, said spokeswoman Eileen Boyce.
