They say that you just can’t put a price on the importance of keeping your data safe and secure in today’s tech-driven environment.
What you can put a price on, however, is the failure to remain compliant with HIPAA if you’re a healthcare provider.
This is something that Advocate Health Care Network has recently learned the hard way, after a lengthy investigation by the U.S. Department of Health and Human Services’ Office of Civil Rights put them on the receiving end of an incredible $5.55 million fine.
Advocate Health Care Network: What Happened?
The OCR’s investigations into the IT infrastructure of Advocate Health Care Network originally began in 2013, as a direct result of not one but three breach notification reports generated by the company. Advocate Medical Group, a subsidiary of the larger health care network, was a victim in three devastating cyber attacks that ultimately affected the electronic private healthcare data of more than four million patients.
Though the investigation itself took a long time, the results were conclusive. OCR determined that Advocate had failed to conduct a thorough risk assessment on their electronic health systems. Not only did it not have the types of policies in place designed to limit physical access to digital resources in its data center, but it also didn’t bother to obtain written business contracts with associates guaranteeing that this information would even be adequately protected in the first place.
To top it all off, a representative from Advocate also left an unencrypted laptop computer overnight in a business vehicle. Though data contained on the laptop was not exposed, it easily could have been – further adding to the sticky situation the company found itself in. Jocelyn Samuels, the current director of OCR, indicated that the HIPAA violation and subsequent fines levied against Advocate were intended to send a strong message about the importance of cyber security. She said in a statement that she hoped that this underlined the importance of not only conducting comprehensive risk analysis and risk management on an ongoing basis, but also emphasized the need for implementing physical, technical and administrative security measures across all aspects of an enterprise.
The Illinois State Attorney General’s office also began a similar investigation around the same time of the OCR investigation in 2013. Their findings, along with the huge volume of patients that were ultimately affected by the breaches, also contributed to the amount of fines that Advocate received. Both the extent of the damage, along with the duration of time that the company was not compliant with HIPAA, also played important roles.
Moving Forward
Advocate will go down in history as receiving the single largest HIPAA settlement against a single entity to date. As a part of the settlement plan, the company has agreed to quickly adopt a corrective action plan that will help bring them up to full HIPAA compliance and to make sure that this type of thing doesn’t happen again.
Hopefully, this will do exactly what the Office of Civil Rights intended it to – send a strong message to healthcare providers nationwide about the importance of HIPAA compliance and data security in the digital age. This is particularly key during a time where not only are security breaches happening more frequently, but when the healthcare industry in general continues to be a prime target for hackers around the world.
%20Logos%202022/sharetru-white-logo.svg){kind=logo}
