In what HHS’s Office of Civil Rights (OCR) called its largest settlement ever against a single entity for HIPAA violations, Downers Grove, Illinois-based Advocate Health Care has agreed to pay $5.55 million for three data breaches which exposed the health records of more than four million people.

The investigation began in 2014, after the third breach was reported. OCR said Advocate, the largest hospital chain in Illinois, failed to conduct a thorough risk analysis for vulnerabilities to all its protected health information held electronically and didn’t have written contracts with business associates assuring health information in their possession would be protected.

The single biggest accusation of lax data security Advocate faced was related to its data center. OCR said the company didn’t have policies in place to limit physical access to Touhy Support Center in Park Ridge, Illinois, which allowed four computers containing the protected information of more than 3.9 million people to be stolen on July 15, 2013. The stolen information included patient names, insurance records, addresses, credit card numbers and their expiration dates, dates of birth, and clinical records.

In another instance, OCR said an unencrypted laptop was left in an unlocked car overnight by an employee of an Advocate subsidiary, Advocate Medical Group, which the agency said constitutes a failure to “reasonably safeguard” the protected information of more than 2,200 people.

The “extent and duration of the alleged noncompliance” is what led to such a large settlement, according to OCR.

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels.

Along with the settlement, Advocate doesn’t have to admit liability, but will implement a corrective action plan to correct the security gaps identified by OCR. That plan will require conducting a risk analysis within 180 days, along with reviewing and revising policies on devices which can transmit or store protected health information and access to its data center.