Health system to pay $5.55 million in largest ever HIPAA settlement

A major Illinois healthcare system will pay $5.55 million to settle allegations of HIPAA noncompliance, marking the largest settlement to date against a single entity, officials said.

The allegations against Advocate Health Care Network, which operates 12 acute-care hospitals and more than 400 other sites of care across the state, involve data breaches that jeopardized the electronic protected health information of around 4 million patients.

That information includes patient names, addresses, demographic data, health insurance information and credit card numbers, the Department of Health and Human Services said in a news release on the settlement.

HHS argues that Advocate failed to conduct accurate and thorough assessments of the risks and vulnerabilities to its patients' data, implement policies to limit physical access to the data and obtain assurances that one of the system's business associates would safeguard the data in its possession. Advocate also failed to secure an unencrypted laptop that was left in unlocked vehicle and subsequently stolen, HHS said.

Advocate said in a statement that the company has beefed up its data encryption measures to prevent future breaches in “the ever-evolving digital landscape.”

"While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients,” Advocate said. “We continue to cooperate fully with the government to advance our patient privacy protection efforts."