After multiple potential HIPAA violations involving electronic protected health information, Illinois-based Advocate Health Care Network has settled with the U.S. Department of Health and Human Services’ Office of Civil Rights for $5.55 million.

Advocate has also agreed to adopt a corrective action plan, according to OCR, which calls this the largest HIPAA settlement against a single entity to date. It’s the result of the “extent and duration of the alleged noncompliance,” with some infractions dating back to the Security Rule’s inception.

A corresponding investigation from the Illinois State Attorney General’s corresponding investigation, along with the large number of patients whose information was affected by Advocate’s noncompliance, also led to the settlement, officials said.

The OCR investigation began in 2013, in response to Advocate’s submission of three breach notification reports that pertained to separate events at Advocate Medical Group, a subsidiary of Advocate. Combined, these three breaches affected the ePHI of 4 million patients.

The results of the investigation revealed Advocate failed to conduct a thorough risk assessment to all ePHIs; did not implement policies to limit physical access to electronic information systems in its large data support center; didn’t obtain written business associate contracts including assurances the entity would protect ePHIs in its possession; and left an unencrypted laptop locked overnight in a vehicle.

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” OCR Director Jocelyn Samuels, said in a statement.

“This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”