The costs for mishandling electronic protected health information (ePHI) continue to skyrocket.
Advocate Health Care Network has agreed to pay a record $5.5 million to settle claims that it violated the security rule of the Health Insurance Portability and Accountability Act (HIPAA), resulting in data breaches that compromised the records of roughly 4 million people.
The Aug. 4 settlement – the largest in the history of HIPAA enforcement actions – stemmed from three separate data breaches that occurred within months of each other in 2013.
Federal authorities said Advocate failed to conduct mandatory risk assessments, properly safeguard laptops containing ePHI or obtain a required business associate agreement with a third-party contractor that handled medical billing.
See also: What HIPAA Means for Data Centers
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said Jocelyn Samuels, director of the U.S. Department of Health and Human Services’ Office of Civil Rights. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
Security of ePHI has become a growing concern for managed services providers (MSPs) with customers in health care.
MSPs with expertise in HIPAA compliance can realize a huge market opportunity by managing sensitive patient data for health care entities.
But the lucrative vertical also carries substantial financial risks in the form of penalties and legal costs if ePHI is mishandled.
Under HIPAA rules, MSPs are considered “business associates,” and must sign agreements with the health care customer assuring they will abide by all data security requirements.
One of the three Advocate breaches involved Blackhawk Consulting Group, which provided billing services.
In that case, the ePHI of more than 2,000 Advocate patients was compromised when an unauthorized third party gained access to Blackhawk’s network.
“Advocate failed to obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession,” federal officials said in a statement.
The other two breaches involved two separate thefts of laptops computers from Advocate facilities containing private information of nearly 4 million people.
Advocate Health Care Network is the largest fully integrated health care system in Illinois, authorities said.
The latest penalty brings the total amount of settlements for HIPAA security violations to $20.3 million this year, up sharply from $6.2 million in all of 2015.