The Illinois-based Advocate Health Care Network has settled with the US Department of Health and Human Services’ Office of Civil Rights (OCR) for $5.55 million after multiple potential HIPAA violations. In addition, Advocate has also agreed to adopt a corrective action plan. The OCR is calling this the largest HIPAA settlement against a single entity to date.

The OCR began its investigation in 2013 after Advocate submitted three beach notification reports for three separate events. When combined, these three breaches affected the ePHI of 4 million patients. After completing its investigation, the OCR found that Advocate failed to conduct a thorough risk assessment to all ePHI, did not implement policies to limit physical access to electronic information systems within its data support center, did not obtain written business associate contracts that included assurances that the entity would protect ePHI in its possession, and left an unencrypted laptop locked overnight in a vehicle.

OCR’s hope is that “…this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”