By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On August 4, 2016, one of Illinois’ largest hospital chains agreed to pay $5.5 million in settlement for lax data security and breaches of protected health information for millions of patients. This deal is a record payout under the Health Insurance Portability and Accountability Act (HIPAA), federal regulators said.

Advocate Health Care Network (Advocate), which operates 12 hospitals and hundreds of satellite locations in Illinois, agreed to the payout in connection with three separate data breaches that compromised the records of 4 million individuals at a medical group subsidiary. The affected private patient data included clinical information, health insurance information, credit card numbers and dates of birth, according to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS).

The Investigation.

Investigations of those privacy and data breaches turned up additional problems for the large hospital chain. The OCR found Advocate did not adequately assess risks to so-called electronic protected health information, or ePHI. The hospital system also failed to properly limit access to electronic systems and failed to obtain an agreement with a business associate to safeguard ePHI.

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” OCR Director Jocelyn Samuels said.

The HIPAA Settlement.

This recent settlement brings HIPAA payouts to $20.4 million so far in 2016. That far outpaces the previous annual record of $7.9 million total for all of 2014. The stiffer penalties come as the OCR is launching a wave of audits to measure HIPAA compliance, potentially giving even more backing to enforcement.

In a statement, Advocate said that it has since strengthened its data encryption efforts in response to the “ever-evolving digital landscape” in hopes of preventing further problems.  “While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients,” Advocate said.

According to the resolution agreement, the three privacy and data breaches occurred in 2013. One breach involved the theft of four laptop computers from an office building. A second involved unauthorized access onto a business associate’s computer network and a third stemmed from the theft of an unencrypted laptop computer from an Advocate employee’s unlocked vehicle. The majority of the 4 million individuals were affected by the first data breach.

Under the resolution agreement, Advocate committed to a number of security improvements, including a risk analysis of ePHI, a plan for managing security risks and an expanded program of HIPAA compliance training.

Click here to read the resolution agreement in full.

To read more on the importance of HIPAA and how to avoid violations, click here to read one of my prior blogs.

No Private Cause of Action (Right to Sue ) under HIPAA.

It is important to remember that neither the federal law itself, HIPAA (the abbreviation for the Health Insurance Portability and Accountability Act), nor the federal regulations which implement it, give an individual the right to sue for its violation.  Complaints on violations cane be filed with the Office of Civil Rights (OCR) which investigates such cases and issues fines, penalties, and takes other actions.  If an individual sues for a breach of his/her medical confidentiality, it is usually under the state’s law for the state in which it occurs.

If the facility is a federal facility (such as Veterans Administration (VA), Public Health Service (PHS), military hospitals and clinics, Indian Health Service (IHS)), then the federal Privacy Act of 1974 also provides the right to sue.  The Privacy Act contains provisions that set a minimum statutory damages as well as awards attorney’s fees and costs.  Recent cases in several states have allowed HIPAA to be used as a statute which establishes an affirmative duty the violation of which can then be pursued under state negligence law.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).  They also represent patients and plaintiffs in the case of major data breaches and individual breaches of medical privacy which result in damages or losses to the patient.

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at or call (407) 331-6620 or (850) 439-1001.


Overley, Jeff. “Ill. Hospital Chain Inks Record $5.5M HIPAA Deal.” Law360. (August 4, 2016). Web.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida area. The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone; (407) 331-6620.

KeyWords: Health Insurance Portability and Accountability Act (HIPAA), legal defense for HIPAA violations, HIPAA defense attorney, HIPAA plaintiff’s attorney, breach of medical privacy attorney, patient data breach legal counsel, Electronic Protected Health Information (ePHI) attorney, suit for HIPAA violation, federal Privacy Act violation attorney, HIPAA compliance counsel, OCR HIPAA investigation defense attorney, HIPAA audit attorney, legal counsel for HIPAA compliance, health law defense lawyer, The Health Law Firm

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999. Copyright © 2016 The Health Law Firm. All rights reserved.