If the health care industry was not yet sufficientlyappreciative of the threats of cyberattacks, the $5.5million penalty Advocate Health Care Network agreed to pay forviolating data security measures gives hospitals, insurers andclinics another reason to get serious about securing their computersystems.

The U.S. Department of Health and HumanServices reached a settlement with Advocate, whichfailed to “conduct an accurate and thorough assessment of thepotential risks and vulnerabilities” of its electronic protectedhealth information (ePHI).

The Illinois-based nonprofit health care network is the largestin the Land of Lincoln, and includes 12 hospitals and 250 treatmentcenters.

At least one of the data breaches it admitted torevealed valuable information about 4 million patients, includingnames, addresses, credit card information, and birthdates.

“We hope this settlement sends a strong message to coveredentities that they must engage in a comprehensive risk analysis andrisk management to ensure that individuals’ ePHI is secure,” saidJocelyn Samuels, director of the HHS Office of CivilRights, in a statement. “This includes implementing physical,technical, and administrative security measures sufficient toreduce the risks to ePHI in all physical locations and on allportable devices to a reasonable and appropriate level.”

Indeed, amidst growing angst about cyberattacks in the healthcare sector, the settlement offered the Obama administration anideal opportunity to show that it is taking serious action on theissue.

In a statement sent to BenefitsPRO, Advocate Health Care said,"Protecting the privacy and confidentiality of our patients whiledelivering the highest level of care and service are our toppriorities. As all industries deal with the ever-evolving digitallandscape and the impact it has on security, we’ve enhanced ourdata encryption measures to prevent this type of incident fromreoccurring. While there continues to be no indication that theinformation was misused, we deeply regret any inconvenience thisincident has caused our patients. We continue to cooperate fullywith the government to advance our patient privacy protectionefforts."

A number of health security measures were included in an omnibusspending bill that President Obama signed into law at the end oflast year. Among other things, it required HHS to do a report onthe issue of cybersecurity in the health care sector and requiredit to form a task force on cybersecurity including a variety ofindustry “stakeholders,” such as providers and insurers.

Bipartisan legislation that is currently winding throughCongress would establish an undersecretary of Health and HumanServices designated to deal with cybersecurity.

There are already signs of improvement. As of March, only 3.5million records had been compromised. If that sounds bad, keep inmind that last year an estimated 113 million were inappropriatelyaccessed. Much of that was likely due to the hacking of Anthem inFebruary of last year, a breach that put the insurance giant’s 78.8million customers’ information at risk.