In late September 2023, Indiana Attorney General Todd Rokita filed a lawsuit against CarePointe ENT over a ransomware attack and data breach that affected 48,742 individuals. A settlement has been reached that will see CarePointe pay $125,000 to resolve alleged violations of the Health Insurance Portability and Accountability (HIPAA) Act and state data privacy and security laws.
CarePointe ENT operates three ear, nose, throat, sinus, and hearing centers in Merrillville, Munster & Hobart in Northwest Indiana. On June 25, 2021, CarePointe ENT experienced a ransomware attack which resulted in files being encrypted and data being exfiltrated. The stolen data included names, addresses, dates of birth, Social Security numbers, medical insurance information, and health information. Affected individuals were notified about the data breach in August 2021.
AG Rokita launched an investigation into the attack to determine if CarePointe ENT had complied with its obligations under HIPAA and state laws. Despite claiming that it was committed to safeguarding patient information, CarePointe ENT was determined to have failed to implement appropriate security policies, conduct appropriate risk analyses, and address known security risks in a reasonable amount of time.
CarePointe ENT hired a third-party IT vendor that conducted a HIPAA risk analysis and identified security concerns in January 2021. The vendor was hired in March to address the identified vulnerabilities, but they were not fixed in a reasonable time frame. In June 2021, some of the unaddressed vulnerabilities were exploited in a ransomware attack. In addition to the failure to address known security issues, CarePointe ENT failed to enter into a business associate agreement with the vendor, even though the vendor was provided with access to systems containing protected health information.
AG Rokita’s lawsuit alleged one count of a failure to comply with the HIPAA Privacy Rule, one count of failing to comply with the HIPAA Security Rule, one count of failing to comply with the Indiana Disclosure of Security Breach Act (DSBA), and one count of failing to comply with the Indiana Deceptive Consumer Sales Act (DCSA). CarePointe ENT chose to settle the alleged violations of HIPAA and state laws with no admission of wrongdoing. Under the terms of the settlement, a financial penalty of $125,000 will be paid to the state and CarePointe ENT has agreed to ensure full compliance with the HIPAA Privacy and Security Rules and the DCSA and DSBA with respect to the safeguarding of personal information (PI), protected health information (PHI), and electronic protected health information (ePHI). CarePointe ENT has also agreed not to make misrepresentations about the extent to which it ensures the privacy, security, confidentiality, and integrity of PI, PHI, and ePHI.
The settlement agreement includes a comprehensive list of privacy and security measures. These include implementing a comprehensive information security program, appointing a HIPAA Security Officer to oversee that program, implementing technical safeguards and controls to ensure the privacy and security of patient data, developing an incident response plan and testing that plan through table-top exercises, developing policies and procedures regarding business associate agreements, and providing privacy and security training to all members of the workforce with access to PI, PHI, or ePHI,
The post CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General appeared first on HIPAA Journal.