Stormy weather for healthcare providers (and others) not protecting personal data - $5.55 million fine

The recent fine of $5.55 million dollars levied on Advocate Health Care Networks (AHCN) starts to sketch out liability levels for failing to protect sensitive personal information. This will be of great interest to insurance companies looking to calculate risk premiums and to IT providers looking to limit liability.

AHCN is the largest health care provider in the Chicago area and between July and November 2013 they suffered 3 data breaches. 4 million records went missing but there has been no indication that these records have been used or published. So no loss to date for the victims.

2 of the 3 breaches were straighforward theft of hardware (4 desktops / 1 laptop) rather than the more exotic type of cyber attack.

The areas of failure were identified as follows;

failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;

failure to implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;

failure to obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and

failure to reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

No doubt AHCN will have attempted to present itself as the victim of crime, which it was, but was fined nevertheless even though the data does not appear to have been misused.

How many handlers of personal data would currently pass the tests above ?