Business Associate Breach from Cyber Attack Implicated in Record HIPAA Penalty of $5.5 Million

The largest HIPAA penalty to date, $5.5 million, was announced by the Office of Civil Rights (OCR) on August 4, 2016. A breach by a consultant Business Associate due to a cyber attack, and the lack of a Business Agreement with that entity, figured significantly in the penalty as OCR continues its practice of heavily penalizing healthcare providers and plans that do not have mandated Business Associate Agreements in place.

The penalty was the result of a settlement of a proceeding against Advocate Health Care Network (“Advocate”), the largest hospital system in Illinois. The OCR investigation arose from three breaches, one each by the hospital system, an affiliated medical practice Advocate Medical Group (“Advocate Medical”) and IT billing consultant Blackhawk Consulting Group (“Blackhawk”).  The three breaches, all self-reported by Advocate, comprised more than four million patients.

Advocate and the Advocate Medical lost Protected Health Information (PHI) when desktops (Advocate) and a laptop (Advocate Medical), on which PHI was not encrypted, were stolen.

The Blackhawk breach, though, should attract the most attention by healthcare providers, plans and the Business Associate who access PHI to work with them. Blackhawk sustained a cyberattack that resulted in the disclosure to the intruder of PHI of more than 2,000 patients. While it is generally accepted that any organization can be attacked, and an attack itself is not proof of a HIPAA violation, Advocate was penalized here because it had failed to enter in a HIPAA Business Associate Agreement with Blackhawk. Such agreements, in which an organization that accesses PHI to perform a service for a provider or plan agrees to protect that information as required by the HIPAA Rules, are a black-and-white HIPAA requirement. Providers and plans that do not have such agreements in place will, as Advocate learned, face exposure to multi-million dollar HIPAA penalties as well as loss of business.

If you have questions as to HIPAA obligations for business relationships between providers and plans and the organizations that use PHI to assist them, please contact Kenneth N. Rashbaum.