This month marked the largest HIPAA settlement to-date for a single entity. Advocate Health Care Network (“Advocate”) agreed to pay $5.5 million and adopt a corrective action plan after an investigation by the Department of Health and Human Services’ Office for Civil Rights (“OCR”) revealed that Advocate’s widespread noncompliance with the requirements of HIPAA affected the protected health information (“PHI”) of four million individuals.

OCR’s investigation into Advocate began in 2013 after its subsidiary, Advocate Medical Group (“AMG”), reported three separate data breaches. AMG reported: (i) a laptop computer stolen from an AMG office building, (ii) unauthorized access into a business associate’s computer network, and (iii) an unencrypted laptop taken from an employee’s unlocked vehicle. In combination, the three data breaches compromised the names, addresses, credit card information, clinical information, and health insurance information of four million individuals. Continue Reading