If the health care industry was not yet sufficiently appreciative of the threats of cyberattacks, the $5.5 million penalty Advocate Health Care Network agreed to pay for violating data security measures gives hospitals, insurers and clinics another reason to get serious about securing their computer systems.

The U.S. Department of Health and Human Services reached a settlement with Advocate, which failed to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities” of its electronic protected health information (ePHI).

The Illinois-based nonprofit health care network is the largest in the Land of Lincoln, and includes 12 hospitals and 250 treatment centers.

At least one of the data breaches it admitted to revealed valuable information about 4 million patients, including names, addresses, credit card information, and birthdates.

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said Jocelyn Samuels, director of the HHS Office of Civil Rights, in a statement. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

Indeed, amidst growing angst about cyberattacks in the health care sector, the settlement offered the Obama administration an ideal opportunity to show that it is taking serious action on the issue.

In a statement sent to BenefitsPRO, Advocate Health Care said, "Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts."

A number of health security measures were included in an omnibus spending bill that President Obama signed into law at the end of last year. Among other things, it required HHS to do a report on the issue of cybersecurity in the health care sector and required it to form a task force on cybersecurity including a variety of industry “stakeholders,” such as providers and insurers.

Bipartisan legislation that is currently winding through Congress would establish an undersecretary of Health and Human Services designated to deal with cybersecurity.

There are already signs of improvement. As of March, only 3.5 million records had been compromised. If that sounds bad, keep in mind that last year an estimated 113 million were inappropriately accessed. Much of that was likely due to the hacking of Anthem in February of last year, a breach that put the insurance giant’s 78.8 million customers’ information at risk.

Instant Insights /

Health care system pays $5.5 million in data breach settlement

More From HR Executive

Related Stories

Recommended For You