Human Services Department as part of the settlement announced by HHS.
Discussion
.
Respond to these colleagues (BELOW): (Half a page each and please, provide references separately)
Discussion Topic
When the Advocate Health System, located in Downers Grove, IL, failed to fully comply with the HIPAA framework, what was the result? Was the result appropriate with the data breaches involved? Is health and human services a “push over” agency?
Post from colleague 1
In 2013, Advocate Health System (AHS) was subject to one of the largest data breaches in the Health Care industry, resulting in theft of almost 4 million patient records. The patient records compromised included names, addresses dates of birth, credit card numbers with expiration dates, demographic information, health insurance information, and clinical information. ((Mangan, 2016). Ultimately, in 2016, the AHS would settle in court and be obliged to pay the Health and Human Services (HHS) $5.5 million in fines due to negligence and failure to follow HIPAA guidelines in regards to protecting data and data security. This would become the largest fines ever from the result of HIPAA policy and procedure violations.
The investigation probe of the breaches by HHS, found that the stolen information resided on four desktop systems and one laptop, all which were password protected, but not encrypted. The investigation later found that in 2009, AHS had implemented an encryption program to have all systems encrypted, but these particular systems were “overlooked”. Other security issues involved with the theft, showed a lack in physical security where the stolen desktops were located. Another failure on the AHS group was that they had not conducted a proper risk assessment against their systems. “OCR investigators once again uncovered one of the commonest violations of HIPAA Rules – the failure to conduct a comprehensive, organization-wide risk assessment.” (HIPAA, 2016)
Of the 3.9+ million records to have resided on the stolen systems, I personally could not find any info that identity theft had been linked to those records.
Here is where it gets interesting. Back in 2009, Advocate had been victim of a smaller data breach that involved unencrypted devices. The result of this was smaller fines and a mandate from HHS to encrypt all portable devices. (QliqSoft, 2017). This could result in an extremely large class action suit.
I personally feel that the result of the data breach could have been a bit more severe, due to the fact that they had had a similar issue and were warned 4 years earlier. Yes. AHS was made an example of, but maybe not enough. As far as HHS being a “push over”, I think that there may be more parts in play on the decisions that were made at the time of the investigation and settlement. I do not think that they are a push over, but may need to take more into consideration in these situations, especially if there are numerous incidents and warnings in the past.
References:
Conn, J. (2013, August 30). Advocate data breach highlights lack of encryption, a widespread issue. Modern Healthcare. https://www.modernhealthcare.com/article/20130830/NEWS/308309953/advocate-data-breach-highlights-lack-of-encryption-a-widespread-issue
Health and Human Services. (2017). Resolution Agreement. Health and Human Services. Retrieved from https://www.hhs.gov/sites/default/files/Advocate_racap.pdf
HIPAA Journal. (2016, August 5). Largest ever HIPAA settlement: Advocate Health to pay OCR $5.5 Million. HIPAA Journal. https://www.hipaajournal.com/largest-ever-hipaa-settlement-advocate-health-5-5-million-3537/
Mangan, D. (2016, August 5). Huge data breach at health system leads to biggest ever settlement. CNBC. https://www.cnbc.com/2016/08/04/huge-data-breach-at-health-system-leads-to-biggest-ever-settlement.html
McGee, M. K. (2013, August 27). Advocate medical breach: No encryption? Databreach Today. https://www.databreachtoday.com/advocate-medical-breach-no-encryption-a-6021
QliqSoft. (2017, April 29). Advocate data breach: The $1 billion lawsuit? QliqSoft. https://www.qliqsoft.com/blog/advocate-data-breach-the-1-billion-lawsuit/
Sanborn, B. J. (2016, August 5). Advocate Health Care agrees to $5.5 million HIPAA violation settlement. Healthcare Finance. https://www.healthcarefinancenews.com/news/advocate-health-care-agrees-55-million-hipaa-violation-settlement
Post from colleague 1
One of the nation’s biggest health-care systems agreed to pay the largest settlement ever by a single entity for potential violations of federal patient privacy law, related to breaches that compromised the electronic data of 4 million patients.
Advocate Health Care, which was investigated for the data breaches at a subsidiary by the Illinois Attorney General’s office, was also required to adopt a corrective action plan for its data security. The breaches, two of which involved thefts of computers, occurred at a physicians’ group that is the largest in the Chicago area.
Advocate Health Care Network, which operates 12 hospitals and more than 200 other treatment locations in Illinois, paid $5.55 million to the U.S. Health and Human Services Department as part of the settlement announced by HHS.
The patient records compromised included people’s names, addresses, dates of birth, credit card numbers with expiration dates, as well as demographic information, clinical information and health insurance information, according to HHS. Advocate Health Care said there “continues to be no indication that the information was misused.”
HHS said the settlement is a result of “the extent and duration of the alleged noncompliance” by Advocate Health Care with the law requiring health providers to adequately safeguard electronic protected health information. Other factors that contributed to the size of the settlement was the large number of patient records involved, and the AG’s ongoing probe, according to HHS.
According to a resolution agreement signed as part of the settlement, Advocate Health Care reported three separate data breaches that occurred between July and November 2013, involving Advocate Medical Group, a physicians’ group with more than 1,000 doctors.
The first breach occurred early July 15 when four desktop computers containing records of nearly 4 million patients were stolen from an AMG administrative office in Park Ridge, Illinois.
The second breach involved an unauthorized third party getting access to the network of a company that provides billing services to AMG between June 30 and August 15, 2013, which potentially compromised the health records of more than 2,000 AMG patients, according to the agreement.
Then, on Nov. 1, 2013, an unencrypted laptop containing patient records of more than 2,230 people was stolen from a car belonging to an AMG staffer, the agreement said.
Advocate Health Care did not admit to any wrongdoing in the resolution agreement. But HHS’s Office of Civil Rights said that its investigations of the breaches “revealed that Advocate failed” to take a number of steps to safeguard patient data.
Jocelyn Samuels, director of HHS’s Office for Civil Rights at that times said, “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. OCR is responsible for enforcing compliance with HIPAA, the Health Insurance Portability and Accountability Act, the law at play in the case. Also among other things, OCR said Advocate Health Care failed to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities of all of its” electronic patient health information records. Advocate Health Care also failed to put into place “policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center, and was also faulted for not getting satisfactory assurances, in a written contact, that its billing services provider would appropriately safeguard electronic patient records in its possession.
Advocate Health Care responded in one of their statements that, “Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities.”
“As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring,”
“While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts.”
My take is that, although it was acknowledged even by Advocate Health System that there was a breach in their in their data system, any amount of fine leveled against them cannot measure up with the damage that was done. The leveled fine was just to minimize the impact of the breach and also serve as a warning to any other organization of the consequences of not ensuring their adequate security of their information system.
Health and Human Services as an agency of government tasked with the responsibility of enhancing the health and well-being of all Americans, by providing for effective health and human services and by fostering sound, sustained advances in the sciences underlying medicine, public health, and social services, cannot be said to be a “pushover agency”. The agency performed their role in ensuring that AHS was held responsible for their data security inefficiency and was penalized accordingly.
This in summary means that AHS paid up for weak security system.
References
Dan Mangan, D. (2016). Huge data breach at health system leads to biggest ever settlement. Retrieved from https://www.cnbc.com/2016/08/04/huge-data-breach-at-health-system-leads-to-biggest-ever-settlement.html
Teichert, E. (2016). Advocate Health to pay largest HIPAA settlement. Retrieved from https://www.modernhealthcare.com/article/20160804/NEWS/160809941/advocate-health-to-pay-largest-hipaa-settlement
U.S. Department of Health & Human Services. (2016). Advocate Health Care settles potential HIPAA penalties for $5.55 Million. Retrieved from https://webcache.googleusercontent.com/search?q=cache:FDTGUhF-OQMJ:https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ahcn/index.html+&cd=1&hl=en&ct=clnk&gl=us
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.