Advocate Health Care to pay record $5.55M HIPAA class-action settlement

Advocate Health Care Network, the largest health system in Illinois, will pay $5.55 million to settle “potential” HIPAA violations affecting about 4 million people, the U.S. Department of Health and Human Services said Thursday. The amount is the largest such settlement to date reached with a single organization, according to HHS.

As is customary in HIPAA settlements, Downers Grove, Illinois-based Advocate had to agree to a corrective action plan with the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules.

The long-running investigation by OCR began in 2013, after Advocate submitted three breach notifications involving its physician practice, Advocate Medical Group. The breaches compromised electronic data on about 4 million individuals and included patient names, addresses, birthdates, demographic, clinical and insurance records, as well as credit card numbers, OCR said.

An OCR investigation of the breaches found that Advocate was lax in assessing risks to electronic patient data, didn’t fully control physical access to data centers, often lacked proper business associate agreements with vendors and failed to “reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight,” according to a statement.

The agency said that Advocate may have potentially violated federal standards “dating back to the inception” of the HIPAA security rule. That rule was finalized in 2003 and most healthcare entities in the U.S. had to be in compliance by April 21, 2005.