Advocate Health Care Network pays $5.55 million to settle data breach case
Downers Grove-based Advocate Health Care Network agreed to pay a $5.55 million settlement with the U.S. Department of Health and Human Services' Office for Civil Rights stemming from a breach that jeopardized the data of about 4 million patients.
The government said this settlement is perhaps the largest to-date against a single group.
Advocate, one of the nation's biggest health care systems which operates 12 hospitals and more than 200 other treatment locations in Illinois, faced multiple potential violations of the Health Insurance Portability and Accountability Act when laptops containing patient information were stolen from its Park Ridge office about three years ago, the government said in a statement.
Advocate, which also agreed to adopt a corrective action plan, said its priority is to protect the privacy and confidentiality of its patients, Advocate spokeswoman Lisa Trafficanta Lesniak said.
"As all industries deal with the ever-evolving digital landscape and the impact it has on security, we've enhanced our data encryption measures to prevent this type of incident from reoccurring," Lesniak said. "While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts."
In 2013, the government started an investigation after Advocate submitted three breach notification reports involving its subsidiary Advocate Medical Group's office in Park Ridge. The data included demographic information, clinical and health insurance information, patient names, addresses, dates of birth, credit card numbers.
The government's investigation revealed Advocate failed to conduct a thorough assessment of potential risks and vulnerabilities to all of its data and didn't adequately limit access to its information systems, among other issues.
"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' (data) is secure," said OCR Director Jocelyn Samuels. "This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to (data) in all physical locations and on all portable devices to a reasonable and appropriate level."