Doctor concerned with health care law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Health Law Daily, August 5, 2016

Advocate pays $5.55M to resolve fallout from data breach

By Bryant Storm, J.D.

Advocate Health Care Network (Advocate) agreed to pay $5.55 million to settle HHS Office for Civil Rights (OCR) allegations that Advocate violated the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) as a result of data breaches that affected the electronic protected health information (ePHI) of approximately 4 million individuals. The size of the settlement—which is the largest to-date against a single entity—is due to the scope of the alleged noncompliance, dating back to three 2013 breaches (Settlement Agreement, July 8, 2016).

Breaches. The settlement arose from an HHS OCR investigation into three breach notification reports submitted by Anthem. The breaches resulted from (1) the theft of four desktop computers containing the ePHI of 3,994,175 individuals; (2) the unauthorized third-party access of a business associate’s network; and (3) the theft of an Advocate employee’s unencrypted laptop (see Lawsuit filed in Advocate Health information breach affecting 4 million patient records, September 9, 2013).

Investigation. The OCR investigation revealed that Anthem failed to: (1) conduct an accurate risk assessment regarding vulnerabilities to ePHI; (2) implement policies and procedures to limit physical access to the electronic information systems; (3) obtain satisfactory assurances that business associates would safeguard all ePHI; and (4) reasonably safeguard an unencrypted laptop.

Settlement. In addition to the $5.55 million payment, as a condition of the settlement, Advocate agreed to adopt a corrective action plan to prevent future breaches. Under the corrective action plan, Advocate is obligated to modify its existing risk analysis procedures to better understand the threats to ePHI. Additionally, Advocate must develop a risk management plan to address and mitigate any of those risks to ePHI. The plan also requires that Advocate develop an encryption report describing the status of Advocate’s device encryption. Other obligations under the corrective action plan include requirements to develop enhanced media and facility controls to prevent future thefts.

Companies: Advocate Health Care Network

MainStory: TopStory AuditNews CyberPrivacyFeed EHRNews HITNews HIPAANews RiskNews

Back to Top

Health Law Daily

Introducing Wolters Kluwer Health Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.