With 4 million patient records exposed, this was the largest fine to date for breach of ePHI (electronic Protected Health Information) which included “demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.” On August 4, 2016 the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced its settlement with Advocate Health Care Network (Advocate) after an investigation that began in 2013 based on 3 breach notification reports for failure to:
The OCR reported that “Advocate is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals.” OCR Director Jocelyn Samuels stated that the resolution agreement and corrective action plan:
We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,…
This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.
Surely we will see more HIPAA violations and penalties, so stay tuned.