An Illinois health center agreed to the largest single-entity HIPAA settlement ever after a network breach affected as many as 4 million of its patients.

Advocate Health Care Network agreed to pay $5.55 million and adopt a corrective action plan following a lengthy investigation by the Department of Health and Human Services’ Office for Civil Rights.

The breach involved the health system’s physician practice, Advocate Medical Group, which was found to have several inadequate security measures in place to protect patient data, reports medcitynews.com.

RELATED: Cyberattack on Ariz. Healthcare System May Affect Data of 3.7 Million

The breaches compromised patient names, addresses, birthdates, demographics, clinical records, insurance records and credit card numbers, the OCR said in a statement Aug. 4.

The OCR began investigating the data breach in 2013 and determined that the practice conducted insufficient risk assessments to patient data, didn’t fully control access to its data centers, lacked required business associate agreements with vendors and failed to safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

Despite the investigation’s findings, it was not officially determined that Advocate Health Care violated HIPAA, the patient privacy and security law.

The OCR says it hopes the settlement sends a message to healthcare entities about the importance of having strong risk management and analysis procedures in place. Specifically, the office says entities should implement “physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

Read Next: Boston Hospital’s Vendor Announces Patient Data Breach

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Related Content