The United States Department of Health and Human Services, Office for Civil Rights (“OCR”), has assessed a $5.55 million fine against an Illinois healthcare provider for alleged HIPAA data privacy violations.  The settlement is the largest to date between the OCR and any single entity, and is one of several multi-million dollar settlements obtained by the OCR this year.

Advocate Health Care Network (“Advocate”), a nonprofit organization and the largest healthcare organization in Illinois, came under OCR scrutiny in 2013 after it submitted breach notification reports relating to three distinct data security incidents involving its subsidiary, Advocate Medical Group (“AMG”).  According to the OCR, the three incidents affected the electronic protected health information (EPHI) of over four million individuals.  Advocate first reported that four desktop computers containing the EPHI of approximately four million users were stolen from an administrative office building.  In the second incident, Advocate notified HHS that the EPHI of approximately 2,000 patients had been potentially exposed to an unauthorized third party via an associated billing services provider.  The third incident consisted of the theft of a laptop containing the unencrypted EPHI of approximately 2,000 individuals from an unlocked employee vehicle.

According to the OCR, the EPHI included individuals’ demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.  As a result of its investigation, the OCR found, among other things, that Advocate had failed to conduct an accurate and thorough risk analysis of its facilities, IT equipment, applications, and its data systems handling EPHI, that it failed to limit physical access to certain electronic information systems, and that it failed to obtain an adequate assurance from its associated billing services provider regarding the safeguarding of EPHI.

As a “covered entity” under HIPAA, Advocate is subject to OCR regulation.  Under the terms of the settlement, Advocate admits no liability, and in addition to the fine, Advocate has entered into a mandatory corrective action plan set forth by the OCR.