For a hospital chain, $5.5 million can go a long way. Such a large sum of money could, for instance, be used to improve facilities, offer better patient care or help low-income patients afford treatment.
One facility—Illinois-based hospital chain Advocate Health Care Network—however, will instead be putting this sum toward a government fine.
What a shame.
Recently, the company agreed to a $5.5 million settlement for its loose data security policy that resulted in the exposure of more than 4 million electronic patient records, including names, addresses, credit card numbers and birth dates.
The fine was the largest to date under the Health Insurance Portability and Accountability Act (HIPAA).
According to Network World, the U.S. Department of Health and Human Services Office for Civil Rights started investigating Advocate Health Care Network in 2013 after the company filed three separate breach notification reports for its subsidiary organization, Advocate Medical Group. The government agency found that Advocate failed to accurately and thoroughly assess vulnerabilities for its electronic protected health information. What’s more, the company neglected to implement policies and procedures for limiting physical access to electronic data systems within a large data support facility.
Other charges against Advocate include failure to obtain satisfactory assurances (meaning written contracts) from its business associates stating that they would protect all electronic health data in its network. What’s more, the company did not protect an unencrypted laptop, which was left in an unlocked vehicle overnight.
As you can see, the charges against Advocate are numerous. So, even though no misuse of the exposed information has been reported, the hospital chain must now pay a hefty price for its failure to protect private patients’ information on more than one occasion.
The message for covered entities is clear: Learn from Advocate’s mistakes, and consider taking preventative action to protect your organization from similar breaches. Risk management and analysis should be a regular part of your routine network maintenance policy.
Apex Technology Services is a managed services provider that can work with your business to ensure your organization is compliant with the latest HIPAA regulations. Working with Apex is a cost-effective—and guaranteed—way to avoid unwittingly committing violations.
Did you know, for instance, that HIPAA updated its HIPAA policy on June 20th to help companies more effectively detect and prevent ransomware threats? You can easily miss important updates like this when overwhelmed by the daily grind of network troubleshooting and endpoint management. Apex can help you streamline the process so you can focus on your job with peace of mind.
“The bottom line is that if you are a healthcare entity, or you do business with a healthcare entity, you are a target for a ransomware attack,” stated Rich Tehrani, CEO of Apex Technology Services following the recent HIPAA update. “Businesses across all industries are strongly advised to take preventative action to protect their networks, by educating employees about cyberthreats and performing regular data backups. While you can’t always prevent a ransomware attack, you can drastically improve your chances of recovery.”
A new breed of hacktrepeneurs has awoken and they have little to fear and everything to gain by infecting as many companies as possible and extorting money from them. Apex Technology Services stands ready to protect your company regardless of whether it’s located in New York City; White Plains, New York; Connecticut; Australia; Europe; or anywhere else. Our full suite of cybersecurity and IT support services is at your disposal, enabling you to spend less time worrying about and more time growing your business.
In addition, our new Cybersecurity Compliance Certification for law firms will help keep your legal practice from becoming the next Panama Papers victim. This baseline cybersecurity audit for the legal industry should be considered seriously by all law firms.