$5m Damages Payout For Huge Healthcare Data Breach

Uploaded on 2016-09-05 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare

One of the US’s biggest health-care systems has agreed to pay the largest settlement ever by a single entity for potential violations of federal patient privacy law, related to breaches that compromised the electronic data of 4 million patients.

Advocate Health Care Network, which operates 12 hospitals and more than 200 other treatment locations in Illinois, will pay $5.55 million to the US Health and Human Services Department as part of the settlement announced by HHS in early August 2016.

Advocate Health Care, which remains under investigation for the data breaches at a subsidiary by the Illinois Attorney General's office, also will be required to adopt a corrective action plan for its data security. The breaches, two of which involved thefts of computers, occurred at a physicians' group that is the largest in the Chicago area.

The patient records compromised included people's names, addresses, dates of birth, credit card numbers with expiration dates, as well as demographic information, clinical information and health insurance information, according to HHS. Advocate Health Care said there "continues to be no indication that the information was misused."

HHS said the settlement is a result of "the extent and duration of the alleged noncompliance" by Advocate Health Care with the law requiring health providers to adequately safeguard electronic protected health information. 

The settlement's disclosure came two days after US News and World Report revealed that six Advocate Health hospitals had placed among that publication's rankings of the best 30 hospitals in Illinois for 2016-17.

"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure," said Jocelyn Samuels, director of HHS's Office for Civil Rights. OCR is responsible for enforcing compliance with HIPAA, the Health Insurance Portability and Accountability Act, the law at play in the case.

According to a resolution agreement signed as part of the settlement, Advocate Health Care reported three separate data breaches that occurred between July and November 2013, involving Advocate Medical Group, a physicians' group with more than 1,000 doctors.

The first breach occurred early July 15 when four desktop computers containing records of nearly 4 million patients were stolen from an AMG administrative office in Park Ridge, Illinois.

The second breach involved an unauthorized third party getting access to the network of a company that provides billing services to AMG between June 30 and August 15, 2013, which potentially compromised the health records of more than 2,000 AMG patients, according to the agreement.

Then, on Nov. 1, 2013, an unencrypted laptop containing patient records of more than 2,230 people was stolen from a car belonging to an AMG staffer, the agreement said.

Advocate Health Care did not admit to any wrongdoing in the resolution agreement. But HHS's Office of Civil Rights said that its investigations of the breaches "revealed that Advocate failed" to take a number of steps to safeguard patient data.

Among other things, OCR said Advocate Health Care failed to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities of all of its" electronic patient health information records.

Advocate Health Care also failed to put into place "policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center," according to OCR.

OCR also faulted Advocate Health Care for not getting satisfactory assurances, in a written contact, that its billing services provider would appropriately safeguard electronic patient records in its possession.

In an emailed statement to CNBC, Advocate Health Care said, "Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities."

"As all industries deal with the ever-evolving digital landscape and the impact it has on security, we've enhanced our data encryption measures to prevent this type of incident from reoccurring," Advocate Health Care said.

"While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts."

CNBC: http://bit.ly/2aTWbWJ

« Zimbabwean Army Prepared For Cyber Warfare
The True Cost of Cybercrime in Brazil »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

First Response

First Response

First Response is a Cyber Incident Response and Digital Forensic Investigation company.

Athena Dynamics

Athena Dynamics

Athena Dynamics focuses on Cyber Security, especially in Critical Information Infra-structure Protection and Enterprise IT Operation Management products and Services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Digital Hands

Digital Hands

Digital Hands is an award-winning managed security services provider.

Evidence Talks Ltd

Evidence Talks Ltd

A leading forensic computing authority developing unique digital forensic technologies. Tools that detect potential terrorists & criminals & used by the military, enforcement & intelligence commmunity

BrainChip

BrainChip

BrainChip is the leading provider of neuromorphic computing solutions, a type of artificial intelligence that is inspired by the biology of the human neuron - spiking neural networks.

Sectigo

Sectigo

Sectigo is a leading cybersecurity provider of digital identity solutions, including TLS / SSL certificates, DevOps, IoT, and enterprise-grade PKI management, as well as multi-layered web security.

DFI

DFI

DFI is a global leading provider of high-performance computing technology across multiple embedded industries.

UK Research & Innovation (UKRI)

UK Research & Innovation (UKRI)

UKRI works in partnership with universities, research organisations, businesses, charities, and government to create the best possible environment for research and innovation to flourish.

Digital Identification & Authentication Council of Canada (DIACC)

Digital Identification & Authentication Council of Canada (DIACC)

DIACC is a non-profit coalition of public and private sector leaders committed to developing a Canadian framework for digital identification and authentication.

NGN International

NGN International

NGN International is a full-fledged systems integrator and managed security services provider established in 2015 in Bahrain.

Intaso

Intaso

Intaso are a boutique head hunting and talent solution firm with specialist Cyber and Information Security expertise.

Information Technology Solutions (ITS)

Information Technology Solutions (ITS)

Information Technology Solutions is a single source provider for managing and securing mission-critical IT services.

Stacklet

Stacklet

Stacklet provides cloud governance as code platform that accelerates how Global 2000 manages its security, asset visibility, operations, and cost optimization policies in the cloud.

Protexxa

Protexxa

Protexxa is a B2B SaaS cybersecurity platform that leverages Artificial Intelligence to rapidly identify, evaluate, predict, and resolve cyber issues for employees.

Fescaro

Fescaro

FESCARO is a trusted cybersecurity partner for global automakers and their partners, helping them transition to software-defined vehicles (SDVs) with tailored automotive software solutions.