[BreachExchange] Advocate Health Hit with Record $5.5 Million HIPAA Penalty

Audrey McNeil audrey at riskbasedsecurity.com
Thu Aug 4 19:48:37 EDT 2016


http://www.databreachtoday.com/advocate-health-hit-record-55-million-hipaa-
penalty-a-9307

In the largest HIPAA enforcement settlement to date, federal regulators
have smacked Chicago-based Advocate Health Care with a $5.55 million fine
in the wake of an investigation into three 2013 breaches. The largest
incident, involving four stolen unencrypted computers, affected about 4
million individuals.

"This significant settlement, the largest to-date against a single entity,
is a result of the extent and duration of the alleged noncompliance -
dating back to the inception of the [HIPAA] Security Rule in some instances
- the involvement of the state attorney general in a corresponding
investigation, and the large number of individuals whose information was
affected by Advocate, one of the largest health systems in the country,"
the Department of Health and Human Services' Office for Civil Rights says
in an Aug. 4 statement.

OCR Director Jocelyn Samuels notes: "We hope this settlement sends a strong
message to covered entities that they must engage in a comprehensive risk
analysis and risk management to ensure that individuals' ePHI is secure.
This includes implementing physical, technical and administrative security
measures sufficient to reduce the risks to ePHI in all physical locations
and on all portable devices to a reasonable and appropriate level."

OCR says its latest enforcement action, which includes a detailed
corrective action plan, follows its investigation launched after Advocate,
which operates 12 hospitals and numerous clinics, submitted three breach
notification reports pertaining to separate incidents involving its
subsidiary, Advocate Medical Group.

Reasons for Big Fine

Privacy attorney Kirk Nahra of the law firm Wiley Rein says that while the
settlement appears to focus on compliance issues, such as failure to
conduct risk analysis, that are frequently highlighted by the enforcement
agency, the OCR breach investigations likely uncovered egregious violations.

"OCR is - and has been historically - both reasonable and knowledgeable,"
he says. "They seem to know when people are trying hard and when they are
not. Going through their cases - and I don't see anything here to indicate
this [Advocate case] is different - 'extent and duration' matters a lot, as
does not fixing existing problems."

Privacy attorney David Holtzman, vice president of compliance at the
security consultancy CynergisTek, says every OCR resolution agreement is a
negotiated settlement in which any number of factors can influence the
outcome. "A significant factor in the size of the payment to settle the
allegations with OCR is the length of time in which OCR found that Advocate
had not met the requirements of the HIPAA Security Rule, as well as their
apparent ample financial resources allowing them to absorb the cost of such
a penalty," he says.

"What I see as important are the allegations that Advocate health system
had not met the HIPAA Security Rule requirements established in 2005 to
perform an enterprisewide information security risk assessment or put into
place a program designed to reasonably safeguard protected health
information across its organization," Holtzman says.

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says the
settlement offers important lessons: "The top three takeaways for me from
this settlement are: The bigger the entity, the bigger the settlement, with
OCR steadily increasing the settlement amount it is seeking to impose on
large covered entities. Covered entities have had over a decade to come
into compliance with the HIPAA Security Rule. ... And OCR continues to
focus on the importance of a risk analysis."

OCR's 10th Settlement This Year

The settlement with Advocate is OCR's tenth enforcement action so far in
2016, keeping the agency on a roll in issuing a record number of HIPAA
enforcement actions (see 2016 Watershed Year for HIPAA Enforcement).

This latest fine brings the total penalties levied by OCR this year to
about $20.5 million, more than in any previous year.

"At this point, we have a record number of settlements in 2016, and a
record-breaking settlement amount, with over four months remaining in the
year," Greene notes. "I expect that we will continue to see an increased
number of settlements over the coming years, although there may be a lull
in the beginning of 2017 as the administration changes."

Nahra adds: "You could certainly read into the last few months of HIPAA
activity and say both that the pace of enforcement is increasing and that
OCR is being less tolerant of significant violations. I don't see any
overall change at the biggest picture level - they still tend to be
reasonable, and appreciate strong efforts at compliance, even if something
doesn't work."

The message to HIPAA covered entities and business associates from the
latest enforcement activities, Nahra says, is: "OCR is out there, is
active, and can tell if you aren't doing a good job. It makes sense to
re-evaluate and re-examine your compliance approach, even if you haven't
had real problems before."

The Three Breaches

The three Advocate breaches exposed a variety of demographic, clinical and
health insurance information, as well as credit card numbers. The largest
of the incidents involved the theft of four unencrypted computers in July
2013 from an office of Advocate Medical Group in Illinois.

OCR notes that the two other breaches reported in 2013 leading to the
settlement included:

A breach involving Blackhawk Consulting Group, a business associate which
provides billing services to Advocate. Advocate reported that the ePHI of
2,027 patients had been potentially compromised when an unauthorized third
party accessed Blackhawk's network.
The theft of an unencrypted laptop containing the ePHI of approximately
2,237 individuals from an Advocate workforce member's vehicle.

OCR says the investigations into the three incidents revealed that Advocate
failed to:

Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to all of its ePHI;
Implement policies and procedures and facility access controls to limit
physical access to the electronic information systems housed within a large
data support center;
Obtain satisfactory assurances in the form of a written business associate
contract that its business associate would appropriately safeguard all ePHI
in its possession;
Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle
overnight.

Corrective Actions Mandated

As part of the resolution agreement, Advocate has agreed to a corrective
action plan that calls for:

Conducting a comprehensive and thorough risk analysis and implementing a
risk management plan;
Implementing processes for evaluating environmental and operational changes
that affect the security of ePHI in Advocate's possession or control;
Developing a report on its encryption status;
Revising policies and procedures on device and media controls as well as
limiting physical access to all of its electronic information;
Revising policies and procedures related to business associates; and
Developing an enhanced privacy and security awareness training program;

In a statement provided to Information Security Media Group, Advocate says:
"Protecting the privacy and confidentiality of our patients while
delivering the highest level of care and service are our top priorities. As
all industries deal with the ever-evolving digital landscape and the impact
it has on security, we've enhanced our data encryption measures to prevent
this type of incident from reoccurring. While there continues to be no
indication that the information was misused, we deeply regret any
inconvenience this incident has caused our patients. We continue to
cooperate fully with the government to advance our patient privacy
protection efforts."

While OCR hit Advocate hard in its enforcement action, an Illinois
appellate court in August 2015 upheld the dismissal of two breach-related
lawsuits filed against the health system (see Advocate Health Ruling: The
Impact) .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160804/4a9bd41b/attachment.html>


More information about the BreachExchange mailing list