$5m Damages Payout For Huge Healthcare Data Breach

Uploaded on 2016-09-05 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare

One of the US’s biggest health-care systems has agreed to pay the largest settlement ever by a single entity for potential violations of federal patient privacy law, related to breaches that compromised the electronic data of 4 million patients.

Advocate Health Care Network, which operates 12 hospitals and more than 200 other treatment locations in Illinois, will pay $5.55 million to the US Health and Human Services Department as part of the settlement announced by HHS in early August 2016.

Advocate Health Care, which remains under investigation for the data breaches at a subsidiary by the Illinois Attorney General's office, also will be required to adopt a corrective action plan for its data security. The breaches, two of which involved thefts of computers, occurred at a physicians' group that is the largest in the Chicago area.

The patient records compromised included people's names, addresses, dates of birth, credit card numbers with expiration dates, as well as demographic information, clinical information and health insurance information, according to HHS. Advocate Health Care said there "continues to be no indication that the information was misused."

HHS said the settlement is a result of "the extent and duration of the alleged noncompliance" by Advocate Health Care with the law requiring health providers to adequately safeguard electronic protected health information. 

The settlement's disclosure came two days after US News and World Report revealed that six Advocate Health hospitals had placed among that publication's rankings of the best 30 hospitals in Illinois for 2016-17.

"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure," said Jocelyn Samuels, director of HHS's Office for Civil Rights. OCR is responsible for enforcing compliance with HIPAA, the Health Insurance Portability and Accountability Act, the law at play in the case.

According to a resolution agreement signed as part of the settlement, Advocate Health Care reported three separate data breaches that occurred between July and November 2013, involving Advocate Medical Group, a physicians' group with more than 1,000 doctors.

The first breach occurred early July 15 when four desktop computers containing records of nearly 4 million patients were stolen from an AMG administrative office in Park Ridge, Illinois.

The second breach involved an unauthorized third party getting access to the network of a company that provides billing services to AMG between June 30 and August 15, 2013, which potentially compromised the health records of more than 2,000 AMG patients, according to the agreement.

Then, on Nov. 1, 2013, an unencrypted laptop containing patient records of more than 2,230 people was stolen from a car belonging to an AMG staffer, the agreement said.

Advocate Health Care did not admit to any wrongdoing in the resolution agreement. But HHS's Office of Civil Rights said that its investigations of the breaches "revealed that Advocate failed" to take a number of steps to safeguard patient data.

Among other things, OCR said Advocate Health Care failed to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities of all of its" electronic patient health information records.

Advocate Health Care also failed to put into place "policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center," according to OCR.

OCR also faulted Advocate Health Care for not getting satisfactory assurances, in a written contact, that its billing services provider would appropriately safeguard electronic patient records in its possession.

In an emailed statement to CNBC, Advocate Health Care said, "Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities."

"As all industries deal with the ever-evolving digital landscape and the impact it has on security, we've enhanced our data encryption measures to prevent this type of incident from reoccurring," Advocate Health Care said.

"While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts."

CNBC: http://bit.ly/2aTWbWJ

« Zimbabwean Army Prepared For Cyber Warfare
The True Cost of Cybercrime in Brazil »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Lumeta

Lumeta

Lumeta’s cyber situational awareness platform is the unmatched source for enterprise network infrastructure analytics and security monitoring for breach detection.

Mocana

Mocana

Mocana provides a software platform that allows you to develop, test and distribute more secure IoT devices and services.

CSIRT-CY

CSIRT-CY

CSIRT-CY is the National Computer Security Incident Response Team for Cyprus.

DigitalXRaid

DigitalXRaid

DigitalXRAID is driven and motivated to ensure the bad guys don’t win. We’re dedicated to providing our clients with state-of-the-art cyber security solutions.

Let's Encrypt

Let's Encrypt

Let’s Encrypt is a free, automated, and open digital certificate authority, run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

Conquest Cyber

Conquest Cyber

Conquest Cyber builds adaptive risk management programs where innovation is most needed – within defense, intelligence, federal civilian agencies and the industrial base that supports them.

Silicon Labs

Silicon Labs

Silicon Labs are a leader in secure, intelligent wireless technology for a more connected world. We provide award-winning hardware and software security to help safeguard connected devices.

AdviserCyber

AdviserCyber

AdviserCyber provide Cybersecurity and Compliance Solutions for Registered Investment Advisers.

Awareness Software Limited (ASL)

Awareness Software Limited (ASL)

As Hosting Specialists, Awareness Software offer practical and affordable hosting solutions including backup and disaster recovery and a range of cybersecurity services.

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures is an early-stage investment vehicle focused on cybersecurity, data analytics and automation startups.

Guardian Angel Cyber

Guardian Angel Cyber

Guardian Angel Cyber, is your trusted ally in safeguarding your digital assets and online presence.

Internet Initiative Japan (IIJ)

Internet Initiative Japan (IIJ)

IIJ is one of Japan's leading Internet-access and comprehensive network solutions providers.

Offenso Hackers Academy

Offenso Hackers Academy

At Offenso we focus on cyber security training focused on producing cyber security professionals with a wide range of abilities to counter threats from the internet and cloud to a business.

Mother Technologies

Mother Technologies

From Datacentre to Desktop, Mother Technologies has been delivering IT Support, Telecoms, Cybersecurity and Connectivity services to businesses across Scotland and beyond since 2002.

Roundsec

Roundsec

Roundsec provide information security services including risk assessment and pentesting of sites and apps.

EpicCyber

EpicCyber

Since 2011, Epic Cyber has pioneered the integration of enterprise cloud technology.