Getting rich by betting against insecure medical device suppliers
August 30, 2016
Employees selling company secrets and access on the Darknet
August 31, 2016

$5.5 Million penalty to hospital for not protecting patient health records

Advocate Health Care Network is the largest hospital chain operator in Illinois, and was recently hit with a fine for violating the information security requirements of the US Health Insurance Portability and Accountability Act (HIPAA). In this case, they exposed approximately 4 Million patient records. How does a trusted organization let this kind of security breach happen?

An investigation began in 2013 as a result of a number of breach notifications by a subsidiary of Advocate. Among the types of data exposed in these incidents were: demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.

The findings of the investigation indicated that the organization failed to adequately:

  • Assess information security risks
  • Implement and enforce appropriate information security policies
  • Hold business associates accountable for protection of personal health records
  • Protect patient health records on a laptop computer

It’s very likely that the $5.5 Million penalty is actually only a small part of the total cost to the organization from having lax security measures. In this case, the cost of securing their removable media would probably have been a fraction of the penalty assessed to them.

Organizations in any industry must begin to take a realistic look at the real costs of security breaches relative to the cost of implementing good security.

Here’s an article from Computer World on this story.


If you enjoyed this post, please CLICK HERE to join the Streetwise Security Newsletter mailing list.

Why not ask for a free consultation?

We can even do a live demo to try out some options.