Of course a HIPAA breach is bad news for any covered entity, but when there are three breaches in a row, it’s not just bad news – it’s a pattern.   In three separate breach reports filed with HHS in a three-month period, Advocate Health Care Network disclosed that:  (1) four desktop computers containing PHI of about 4 million patients had been stolen from its administrative office building; (2) someone had hacked into the network of its billing contractor and potentially compromised the PHI of 2,000 patients; and (3) an unencrypted laptop with the PHI of another 2,200 patients had been stolen from an employee’s unlocked car. 

HHS investigated all three incidents and reached an agreement with Advocate Health under which Advocate Health will pay a sanction of $5.55 million, the largest amount ever agreed to by a single entity.  Why so much?  HHS explained in its press release that the amount was due to the large number of individuals affected, the nature of the information disclosed (names, addresses, dates of birth, medical information, and credit card information), and the extent and duration of the HIPAA security rule noncompliance.  For example, HHS asserted that Advocate Health had never conducted an adequate security risk assessment; had not implemented access controls to its data support center; had inadequate or non-existent business associate agreements with its contractors in order to assure that its business associates would appropriately safeguard PHI, and had inadequate safeguards for its mobile devices.  

Covered entities should review the entire resolution agreement linked in the press release to see if they have similar security weaknesses that need to be addressed.