With 4 million patient records exposed, this was the largest fine to date for breach of ePHI (electronic Protected Health Information) which included “demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.” On August 4, 2016 the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced its settlement with Advocate Health Care Network (Advocate) after an investigation that began in 2013 based on 3 breach notification reports for failure to:

  • conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
  • implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
  • obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
  • reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

The OCR reported that “Advocate is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals.” OCR Director Jocelyn Samuels stated that the resolution agreement and corrective action plan:

We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,…

This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.