If the health care industry was not yet sufficiently appreciative of the threats of cyberattacks, the $5.5 million penalty Advocate Health Care Network agreed to pay for violating data security measures gives hospitals, insurers and clinics another reason to get serious about securing their computer systems.
The U.S. Department of Health and Human Services reached a settlement with Advocate, which failed to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities” of its electronic protected health information (ePHI).
The Illinois-based nonprofit health care network is the largest in the Land of Lincoln, and includes 12 hospitals and 250 treatment centers.
At least one of the data breaches it admitted to revealed valuable information about 4 million patients, including names, addresses, credit card information, and birthdates.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said Jocelyn Samuels, director of the HHS Office of Civil Rights, in a statement. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
Indeed, amidst growing angst about cyberattacks in the health care sector, the settlement offered the Obama administration an ideal opportunity to show that it is taking serious action on the issue.
In a statement sent to BenefitsPRO, Advocate Health Care said, "Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts."
A number of health security measures were included in an omnibus spending bill that President Obama signed into law at the end of last year. Among other things, it required HHS to do a report on the issue of cybersecurity in the health care sector and required it to form a task force on cybersecurity including a variety of industry “stakeholders,” such as providers and insurers.
Bipartisan legislation that is currently winding through Congress would establish an undersecretary of Health and Human Services designated to deal with cybersecurity.
There are already signs of improvement. As of March, only 3.5 million records had been compromised. If that sounds bad, keep in mind that last year an estimated 113 million were inappropriately accessed. Much of that was likely due to the hacking of Anthem in February of last year, a breach that put the insurance giant’s 78.8 million customers’ information at risk.
Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.
Your access to unlimited BenefitsPRO content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking benefits news and analysis, on-site and via our newsletters and custom alerts
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the property casualty insurance and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
