Healthcare Data Privacy

OIG: Two VA Employees Concealed Privacy and Security Risks of a Big Data Project

Posted February 2, 2021 by HIPAA Journal

Two members of the Department of Veteran Affairs’ (VA) information technology staff are alleged to have made false representations about the privacy and security risks of a big data AI project between the VA and a private company that would have seen the private and confidential health data of tens of millions of veterans fed into the AI system.

An administrative investigation was conducted by the VA Office of Inspector General (OIG) into a potential conflict of interest related to a cooperative research and development agreement (CRADA) between the VA and a private company in 2016.

The purpose of the collaboration was to improve the health and wellness of veterans using AI and deep learning technology developed by Flow Health. The project aimed to identify common elements that make people susceptible to disease, identify potential treatments and possible side effects to inform care decisions and to improve the accuracy of diagnoses.

The CRADA would have resulted in the private and confidential health data, including genomic data, of all veterans who had received medical treatment at the VA being provided to Flow Health. The deal was brought to the attention of senior VA IT leaders in November 2016 following media coverage of the deal after Flow Health issued a press release announcing the new initiative.

The CRADA had been approved but was unilaterally terminated in December 2016 before any veteran data was transferred. The VA’s IT leaders requested the OIG conduct an investigation into potential conflicts of interest between the two employees and Flow Health in December 2016.

The CRADA would have seen private and confidential health data provided to Flow Health for 5 years. According to Flow Health, the project would see the company build “the world’s largest knowledge graph of medicine and genomics from over 30 petabytes of longitudinal clinical data drawn from VA records on 22 million veterans spanning over 20 years,” and that the project with the VA was “a watershed moment for deep learning in healthcare.” To protect the privacy of veterans, Flow Health said it would de-identify all patient data during analysis.

One of the VA employees worked as an Office of IT program manager and the other as a Veterans Health Administration health system specialist at the VHA central office. OIG investigated whether either of the employees had any financial conflicts of interest related to the deal with Flow Health, and while no financial conflicts of interest were found, OIG did discover the employees concealed material information about the privacy and security risks of the project and made misrepresentations about the risks which led to the project being approved under false pretenses.

In the report, False Statements and Concealment of Material Information by VA Information Technology Staff, OIG said the VA official tasked with approving or rejecting the proposed project requested the employees provide an explanation of the cybersecurity implications of the Flow Health project.

OIG said the two employees concealed information from the VA official and did not divulge that subject matter experts had raised significant privacy and security concerns about the project. The two employees also made false statements to the VA official about the status of privacy and security reviews, indicating they have been conducted and all issues had been addressed. They also advocated the VA official execute the contract with Flow Health.

The OIG referred the matter to the Department of Justice, which declined to prosecute the two employees. The OIG recommended the VA determine whether administrative actions should be taken over the employees’ conduct, and the VA concurred with the recommendation.

The post OIG: Two VA Employees Concealed Privacy and Security Risks of a Big Data Project appeared first on HIPAA Journal.

Philadelphia Department of Public Health Terminates Vaccine Distribution Contract Over Alleged Privacy Violations

Posted January 29, 2021 by HIPAA Journal

Philly Fighting COVID, a company tasked with distributing COVID-19 vaccinations to the city of Philadelphia, has had its contract with the Philadelphia Department of Public Health terminated after allegations were made that the company’s privacy policies may have allowed the sale of individuals’ data to third parties.

Philly Fighting COVID started out as a nonprofit that was initially focused on coronavirus testing before pivoting to administering COVID-19 vaccinations. The startup won the contract to run Philadelphia’s first community vaccine clinic, which was launched by the Department for Public Health on January 8, 2021.

Philly Fighting COVID created a website where Philadelphians were encouraged to pre-register for the vaccines and were required to provide information such as names, contact information, date of birth, zip code, and other data, with the data intended to be provided to the Health Department and used to improve vaccination efforts, such as identifying the best locations to open further vaccine clinics. More than 60,000 individuals used the website and pre-registered for shots.

After running COVID-19 testing facilities, Philly Fighting COVID switched its focus to vaccine provision. The vaccine clinic started providing vaccines and more than 6,800 people received their first dose at the site, over a third of whom were healthcare workers.

In December 2020, Philly Fighting COVID created a for-profit arm was created and following that change in corporate status, a privacy policy was uploaded to the website, the wording for which indicated data collected through the website could be sold to third parties.

Philly Fighting COVID also abruptly stopped administering vaccines and had turned away seniors who had arrived for appointments and had waited in line for hours. Philly Fighting COVID claimed this was due to an error on the website that allowed too many individuals to book appointments.

Philly Fighting COVID was awarded the vaccine distribution contract as a nonprofit. The Department of Public Health and said it was not notified about any change in privacy policies that could potentially have allowed individuals’ data to be sold.

“For PFC to have made these changes without discussion with the City is extremely troubling,” said a Department of Public Health spokesperson. “As a result of these concerns, along with PFC’s unexpected stoppage of testing operations, the Health Department has decided to stop providing vaccines to PFC.”

Concerns were also raised about how Philly Fighting COVID was running the vaccine operation, with several troubling allegations made against the company. Notably, one nurse who had volunteered to work at the clinic and assist with providing vaccinations alleged on Twitter that she was not asked to provide any medical credentials when she applied for the position and claimed that the CEO had taken some of the vaccines home.

Responding to some of the criticism, Andrei Doroshin, CEO of Philly Fighting COVID explained on the website that “There was language in our privacy policy that was problematic and as soon as we became aware of it, we removed it. I apologize for the mistake in our privacy policy. We never have and never would sell, share, or disseminate any data we collected as it would be in violation of HIPAA rules.”

On NBC’s Today show, Doroshin admitted taking some of the vaccine doses and administering them to friends. “I understand that I made that mistake. That is my mistake to carry for the rest of my life, but it is not the mistake of the organization,” he said. The four doses he claims to have administered to friends were allegedly leftover doses that would otherwise have gone to waste, and that efforts were made to find eligible high-risk individuals to receive the doses but those attempts failed.

The Philadelphia District Attorney Larry Krasner has launched an investigation into Philly Fighting COVID over the misrepresentation of its for-profit status and the alleged mishandling of COVID-19 vaccines. The Philadelphia Department of Public Health is planning on reopening the clinic once a new service provider is found.

The post Philadelphia Department of Public Health Terminates Vaccine Distribution Contract Over Alleged Privacy Violations appeared first on HIPAA Journal.

Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack

Posted January 26, 2021 by HIPAA Journal

In May 2020, the cloud software company Blackbaud suffered a ransomware attack. As is common in human operated ransomware attacks, data was exfiltrated prior to file encryption. Some of the stolen data included the fundraising databases of its healthcare clients.

One of the affected healthcare providers was Rady Children’s Hospital-San Diego, the largest children’s hospital in California in terms of admissions. A class action lawsuit has been proposed that alleges Rady was negligent for failing to protect the sensitive information of 19,788 individuals which was obtained by the hackers through Blackbaud’s donor management software solution.

The lawsuit alleges Rady failed to implement adequate security measures and failed to ensure Blackbaud had adequate security measures in place to protect ePHI and ensure it remained private and confidential. The lawsuit alleges individuals affected by the breach now face “imminent, immediate, substantial and continuing increased risk” of identity theft and fraud as a result of the breach and Rady’s negligence.

Blackbaud discovered the ransomware attack in May 2020. The company’s investigation revealed the hackers had access to the fundraising databases of its healthcare clients between February 7 and June 4, 2020. Blackbaud said the hackers were expelled from the network as soon as the breach was discovered but had discovered a subset of client data had been obtained by the attackers.

Blackbaud took the decision to pay the ransom to ensure the stolen data was deleted. Assurances were received from the attackers that the data had been permanently destroyed. In its breach notification letters, Rady explained that the types of information potentially obtained by the hackers included patients’ names, addresses, dates of birth, physicians’ names, and the department where medical services were provided.

The lawsuit alleges Rady cannot reasonably maintain that the hackers destroyed the plaintiffs’ personal information. According to the complaint, “On information and belief, Blackbaud has not provided verification or further details regarding the disposition of the data to confirm that the stolen data has been destroyed.” The lawsuit also alleges neither Rady nor Blackbaud are aware how the hackers exfiltrated data, and whether it was transmitted in a secure manner and could not have been intercepted by other individuals.

According to the lawsuit, Rady had the necessary resources to protect patient data but neglected to implement appropriate security. The plaintiffs seek compensation, long -term protection against identity theft and fraud, and a court order to enforce changes to Rady’s security policies to ensure breaches such as this, and several others cited in the report, do not happen again.

Blackbaud is also facing multiple class action lawsuits over the breach. At least 23 putative class action lawsuits have filed against Blackbaud according to its 2020 Q3 Quarterly Filing with the U.S. Securities and Exchange Commission. The lawsuits have been filed in 17 federal courts, 4 state courts, and 2 Canadian courts. Each alleges victims of the breach have suffered harm as a result of the theft of their personal data.

Blackbaud also said more than 160 claims have been received from its customers and their attorneys in the U.S., U.K., and Canada. Blackbaud is also being investigated by government agencies and regulators, including 43 state Attorneys General and the District of Columbia, the Department of Health and Human Services, Federal Trade Commission, Office of the Privacy Commissioner of Canada, and the U.K GDPR data protection authority, the Information Commissioner’s Office.

The post Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack appeared first on HIPAA Journal.

HIPAA Enforcement by State Attorneys General

Posted January 21, 2021 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Rules of the Health Insurance Portability and Accountability Act (HIPAA).

The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and they can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of an unencrypted hard drive containing the electronic protected health information of 1.5 million individuals and for delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000.

State attorneys general HIPAA cases were relatively rare occurrences, with only 11 settlements reached with HIPAA-covered entities and business associates to resolve HIPAA violations between 2010 and 2015. HIPAA enforcement by state attorneys general was stepped up in 2017 with 5 settlements and again in 2018 when 12 cases resulted in financial penalties for violations of the HIPAA Rules.

In 2019 and 2020, a total of just 5 cases resulted in financial penalties, although those penalties were sizeable, with four of the five cases being multistate actions against HIPAA-covered entities and business associates where several state attorneys general participated in the actions. These multistate actions allow state attorneys general to pool their resources and investigate potential violations of HIPAA and state laws more efficiently.

2023 was a busy year in terms of enforcement, with 16 enforcement actions to resolve violations of the HIPAA Rules and state consumer protection and breach notification laws. Cases were resolved by the Attorneys General in California, Colorado, Indiana, New York, Ohio, and Pennsylvania and there were three multistate investigations resolved, including a 49-state action against Blackbaud, a 32-stat action against Personal Touch Home Care, and a 4-state action against EyeMed Vision Care. The case against Blackbaud over its 5.5 million-record breach resulted in a penalty of $49.5 million.

When civil actions are brought against covered entities or business associates by state Attorneys General, they are separate from any Office for Civil Rights actions which may also choose to investigate and impose its own fins and penalties. Several data breaches have resulted in settlements being reached at both the federal and state level. Community Health Systems/CHSPSC, Anthem Inc., Premera Blue Cross, Aetna, Cottage Health System, University of Rochester Medical Center, and Medical Informatics Engineering have all settled cases with OCR and separate cases with state attorneys general to resolve potential HIPAA violations.

In many of the state AG enforcement actions below, the financial penalties resolve violations of federal (HIPAA) and/or state laws. Over the years there have been several cases where HIPAA Rules have been violated, but the decision was taken to bring actions for violations of the equivalent provisions in state laws. The cases detailed below include cases where the HIPAA Rules have been violated, but action has been taken for the violation of state laws.

HIPAA Enforcement by State Attorneys General in 2024

Year	State	Entity	Amount	Individuals Affected	Reason for Investigation	Findings
2024	New York	Refuah Health Center	$450,000 and invest $1.2 million in cybersecurity	260,740	May 2021 ransomware attack	Multiple violations of the HIPAA Security Rule, a violation of the HIPAA Breach Notification Rule, and violations of New York Business Law.

HIPAA Enforcement by State Attorneys General in 2023

State attorneys general have imposed three financial penalties for HIPAA violations or equivalent violations of state laws.

Year	State	Entity	Amount	Individuals Affected	Reason for Investigation	Findings
2023	New York	New York Presbyterian Hospital	$300,000	54,396	Use of pixels and other tracking tools on website	Violation of the HIPAA Privacy Rule and New York Executive Law for impermissibly disclosing PHI to third parties.
2023	New York	Healthplex	$400,000	89,955 (62,922 in New York)	Phishing attack	Violation of New York’s data security and consumer protection laws (data retention/logging, MFA, data security assessments)
2023	Indiana	CarePointe ENT	$120,000	48,742	Ransomware attack and data breach	Failure to address known vulnerabilities, business associate agreement failure, violations of the Indiana Disclosure of Security Breach Act and Indiana Deceptive Consumer Sales Act
2023	New York	U.S. Radiology Specialists Inc.	$450,000	198,260, including 92,540 New York residents	Cyberattack and data breach	Failure to upgrade hardware in a reasonable time frame to address a known vulnerability.
2023	New York	Personal Touch Holding Corp	$350,000	753,107	Ransomware attack	Only had an informal information security program, insufficient access controls, no continuous monitoring system, lack of encryption, and inadequate staff training.
2023	Multistate (32 states and PR)	Inmediata	$1.4 million	1,565,338	Unsecured server exposed PHI online, breach notifications	Failure to implement appropriate safeguards to ensure data security and breach response failures, which violated the HIPAA Security Rule, Breach Notification Rule, and state breach notification laws
2023	Multistate (49 states and DC)	Blackbaud	$49.5 million	5,500,000	Ransomware attack	Violations of the HIPAA Rules regarding safeguards and breach response, and violations of state consumer data protection laws
2023	Colorado	Broomfield Skilled Nursing and Rehabilitation Center	$60,000 ($25,000 suspended if full compliance with corrective measures)	677 individuals	2 compromised email accounts	Violations of the HIPAA Security Rule, state data protection laws, including the Colorado Consumer Protection Act (CCPA)
2023	Indiana	Schneck Medical Center	$250,000	89,707 individuals	Ransomware attack and data breach	Violations of the HIPAA Privacy, Security, and Breach Notification Rules. Violations of the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act
2023	California	Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals	$49,000,000	7,700 individuals	Improper disposal of hazardous waste, medical waste, and protected health information	Violations of HIPAA, California’s Hazardous Waste Control Law, Medical Waste Management Act, Confidentiality of Medical Information Act, Customer Records Law, and Unfair Competition Law.
2023	California	Kaiser Permanente	$450,000	up to 167,095 individuals	Mailing error and PHI disclosure	California Confidentiality of Medical Information Act (CMIA) violations – impermissible disclosure of PHI and negligent maintenance or disposal of PHI
2023	New York	Practicefirst Medical Management Solutions (Professional Business Systems Inc.)	$550,000	1.2 million	Ransomware attack and data breach	Failure to patch a critical firewall vulnerability for 22 months. No penetration testing or vulnerability scanning, and a lack of encryption for sensitive health data.
2023	Multi-state: Oregon, New Jersey, Florida & Pennsylvania	EyeMed Vision Care	$2,500,000	2.1 million	Ransomware attack and data breach	Insufficient password complexity requirements, insufficient locking of accounts after failed password attempts, no multifactor authentication on a browser-accessible email account containing large amounts of PHI, inadequate logging and monitoring of email accounts, and storing unnecessary amounts of PHI in email accounts.
2023	New York	Heidell, Pittoni, Murphy & Bach LLP	$200,000	61,438	Ransomware attack and data breach	Violation of 17 provisions of the HIPAA Privacy and Security Rules
2023	Pennsylvania	DNA Diagnostics Center	$200,000	33,000	Stolen database containing 2.1 million records	Lack of safeguards, failure to update asset inventory, failure to remove assets not used for business purposes.
2023	Ohio	DNA Diagnostics Center	$200,000	12,600	Stolen database containing 2.1 million records	Lack of safeguards, failure to update asset inventory, failure to remove assets not used for business purposes.

This article will be updated as and when new fines, settlements, and other resolutions are announced to resolve violations of HIPAA and state laws.

HIPAA Enforcement by State Attorneys General in 2022

Year	State	Entity	Amount	Individuals Affected	Reason for Investigation	Findings
2022	Oregon and Utah	Avalon Healthcare	$200,000	14,500	10 Month delay in notifying individuals about a phishing attack and data breach	The investigation determined the 10-month delay violated HIPAA (60-day reporting deadline) and Oregon law (45-day reporting deadline), email security practices were found to be insufficient, with the settlement including several data security requirements including the appointment of an individual responsible for developing, implementing, and maintaining a comprehensive data security program to ensure compliance with Consumer Protection Laws and HIPAA, including email filtering, security awareness training, and multifactor authentication.
2022	Aveanna Healthcare	Massachusetts	$425,000	166,000	Phishing attack and data breach	The Massachusetts Attorney General determined there was a lack of appropriate safeguards to prevent phishing attacks, such as multifactor authentication and security awareness training for its workforce. The security measures implemented did not meet the minimum level for compliance with the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts or the HIPAA Security Rule.
2022	New York	EyeMed Vision Care	$600,000	2.1 million	Phishing attack and data breach	Insufficient password complexity requirements, insufficient locking of accounts after failed password attempts, no multifactor authentication on a browser-accessible email account containing large amounts of PHI, inadequate logging and monitoring of email accounts, and storing unnecessary amounts of PHI in email accounts.

HIPAA Enforcement by State Attorneys General in 2021

New Jersey was particularly active in HIPAA enforcement in 2021 and was the only state to initiate its own investigations and issue financial penalties to resolve HIPAA violations in 2021. New Jersey also participated in a joint investigation into the data breach at American Medical Collection Agency (AMCA) – One of the largest ever breaches of healthcare data. The AMCA HIPAA case saw a $21 million financial penalty imposed; however, due to the huge costs incurred as a result of the breach, AMCA filed for bankruptcy protection. Due to the financial position of the company, the financial penalty was suspended and will only need to be paid if AMCA defaults on the terms of the settlement agreement.

Year	State	Entity	Amount	Individuals Affected	Reason for Investigation	Findings
2021	New Jersey	Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC)	$425,000	105,000	Phishing attack and data breach	Failure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program.
2021	New Jersey	Command Marketing Innovations, LLC and Strategic Content Imaging LLC	$130,000 (Plus $65,000 suspended)	55,715	Printing and mismailing incident	Failure to ensure the confidentiality of PHI, lack of PHI safeguards, failure to review security measures following changes to procedures
2021	New Jersey	Diamond Institute for Infertility and Menopause	$495,000	14,663	Hacking incident and data breach	Multiple Privacy Rule and Security Rule failures, and violations of the Consumer Fraud Act
2021	Multi-state (41 state attorneys general)	American Medical Collection Agency	$21 million (suspended)	21 million	Hacking incident and data breach	Security failures including failure to detect a data breach

HIPAA Enforcement by State Attorneys General in 2020

Year	State	Entity	Amount	Individuals affected	Reason for Investigation	Findings
2020	Multistate (28 states)	Community Health Systems / CHSPSC LLC	$5,000,000	6.1 million	Hacked by Chinese APT group	Failure to implement and maintain reasonable security practices
2020	Multistate (43 states)	Anthem Inc	$39.5 million	78.8 million	Phishing attack and major data breach	Multiple violations of HIPAA and state laws
2020	California	Anthem Inc	$8.7 million	78.8 million	Phishing attack and major data breach	Multiple violations of HIPAA and state laws

HIPAA Enforcement by State Attorneys General in 2019

Year	State	Entity	Amount	Individuals affected	Reason for Investigation	Findings
2019	Multistate (30 states)	Premera Blue Cross	$10,000,000	10.4 million	Hacking incident and major data breach	Multiple violations of HIPAA and state laws
2019	Multistate (16 states)	Medical Informatics Engineering	$900,000	3.5 million	Breach of NoMoreClipboard data	Multiple violations of HIPAA and state laws
2019	California	Aetna	$935,000	1,991	2 mailings exposed PHI (Afib, HIV)	Impermissible disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2018

Year	State	Entity	Amount	Individuals affected	Reason for Investigation	Findings
2018	Massachusetts	McLean Hospital	$75,000	1,500	Loss of backup tapes	Insufficient risk assessment, failure to encrypt data, delayed breach notifications
2018	New Jersey	EmblemHealth	$100,000	6,443 (81,000)	Mailing error exposed SSNs	Impermissible disclosure of PHI, lack of staff training
2018	New Jersey	Best Transcription Medical	$200,000	1,650	Exposure of ePHI in Internet	Risk assessment and risk management failure, breach notification failure
2018	Multistate (CT, NJ, DC)	Aetna	640170.59	13,160	2 mailings exposed PHI (Afib, HIV)	Impermissible disclosure of sensitive health information
2018	Massachusetts	UMass Memorial Medical Group / UMass Memorial Medical Center	$230,000	15,000	Multiple data breaches	Failure to secure ePHI
2018	New York	Arc of Erie County	$200,000	3,751	Exposure of ePHI on the Internet	Failure to secure ePHI
2018	New Jersey	Virtua Medical Group	$417,816	1,654	Exposure of ePHI on the Internet	Multiple violations of the HIPAA Rules
2018	New York	EmblemHealth	$575,000	81,122	Mailing error exposed SSNs	Impermissible disclosure of PHI, lack of staff training
2018	New York	Aetna	$1,150,000	12,000	2 mailings exposed PHI (Afib, HIV)	Impermissible disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2017

Year	State	Entity	Amount	Individuals affected	Reason for Investigation	Findings
2017	California	Cottage Health System	$2,000,000	More than 54,000	Exposure of PHI on the Internet	Failure to safeguard personal information
2017	Massachusetts	Multi-State Billing Services	$100,000	2,600	Theft of unencrypted laptop computer	Failure to safeguard personal information
2017	New Jersey	Horizon Healthcare Services Inc	$1,100,000	3.7 million	Theft of 2 unencrypted laptop computers	Failure to safeguard personal information
2017	Vermont	SAManage USA, Inc.	$264,000	660	Exposure of PHI on the Internet	Failure to secure ePHI, breach notification failure
2017	New York	CoPilot Provider Support Services, Inc	$130,000	221,178	Delayed breach notification	Violation of breach notification requirements

HIPAA Enforcement by State Attorneys General (2010-2016)

Year	State	Entity	Amount	Individuals affected	Reason for Investigation	Findings
2015	New York	University of Rochester Medical Center	$15,000	3,403	List of patients provided to nurse who took it to a new employer	Impermissible disclosure of ePHI
2015	Connecticut	Hartford Hospital/ EMC Corporation	$90,000	8,883	Theft of unencrypted laptop containing PHI	Lack of Business Associate Agreement, failure to encrypt ePHI
2014	Massachusetts	Women & Infants Hospital of Rhode Island	$150,000	12,000	Loss of backup tapes containing PHI	Failure to safeguard ePHI, lack of staff training
2014	Massachusetts	Boston Children’s Hospital	$40,000	2,159	Loss of laptop containing PHI	Failure to encrypt ePHI
2014	Massachusetts	Beth Israel Deaconess Medical Center	$100,000	3,796	Loss of laptop containing PHI	Failure to encrypt ePHI
2013	Massachusetts	Goldthwait Associates	$140,000	67,000	Mishandling of PHI	Improper disposal of PHI
2012	Minnesota	Accretive Health	$2,500,000	24,000	Mishandling of PHI	Failure to safeguard PHI
2012	Massachusetts	South Shore Hospital	$750,000	800,000	Loss of backup tapes containing PHI	Failure to safeguard PHI
2011	Vermont	Health Net Inc.	$55,000	1,500,000	Loss of unencrypted hard drive/delayed breach notifications	Failure to safeguard PHI, violation of breach notification requirements
2011	Indiana	WellPoint Inc.	$100,000	32,000	Failure to report breach in a reasonable timeframe	Violation of breach notification requirements
2010	Connecticut	Health Net Inc.	$250,000	1,500,000	Loss of unencrypted hard drive	Failure to safeguard PHI, violation of breach notification requirements

The post HIPAA Enforcement by State Attorneys General appeared first on HIPAA Journal.

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

Posted January 19, 2021 by HIPAA Journal

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website.

In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year.

More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010.

Key Takeaways

25% year-over-year increase in healthcare data breaches.
Healthcare data breaches have doubled since 2014.
642 healthcare data breaches of 500 or more records were reported in 2020.
76 data breaches of 500 or more healthcare records were reported each day in 2020.
2020 saw more than 29 million healthcare records breached.
One breach involved more than 10 million records and 63 saw more than 100K records breached.
Hacking/IT incidents accounted for 67% of data breaches and 92% of breached records.
3,705 data breaches of 500 or more records have been reported since October 2009.
78 million healthcare records have been breached since October 2009.

2020 was the third worst year in terms of the number of breached healthcare records, with 29,298,012 records reported as having been exposed or impermissibly disclosed in 2020. While that is an alarming number of records, it is 29.71% fewer than in 2019. 266.78 million healthcare records have been breached since October 2009 across 3,705 reported data breaches of 500 or more records.

The Largest Healthcare Data Breaches in 2020

The largest healthcare data breach of 2020 was a ransomware attack on the cloud service provider Blackbaud Inc. The actual number of records exposed and obtained by the hackers has not been made public, but more than 100 of Blackbaud’s healthcare clients were affected and more than 10 million records are known to have been compromised. The breach does not appear on the OCR breach portal, as each entity affected has reported the breach separately.

Prior to deploying ransomware, the hackers stole the fundraising and donor databases of many of its clients which included information such as names, contact information, dates of birth, and some clinical information. Victims included Trinity Health (3.3 million records), Inova Health System (1 million records), and Northern Light Health Foundation (657,392 records).

The Florida-based business associate MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, experienced the largest phishing attack of the year. Hackers gained access to its Office 365 environment and potentially obtained the ePHI of 1,670 individuals, including Social Security numbers, driver’s license numbers, and health insurance and financial information.

Magellan Health’s million-record data breach also started with a phishing email but and ended with ransomware being deployed. The breach affected several of its affiliated entities and potentially saw patient information stolen.

Dental Care Alliance, a dental support organization with more than 320 affiliated dental practices across 20 states, had its systems hacked and the dental records of more than 1 million individuals were potentially stolen.

63 security incidents were reported in 2020 by HIPAA-covered entities and business associates that involved 100,000 or more healthcare records.

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
Trinity Health	Business Associate	3,320,726	Hacking/IT Incident
MEDNAX Services, Inc.	Business Associate	1,290,670	Hacking/IT Incident
Inova Health System	Healthcare Provider	1,045,270	Hacking/IT Incident
Magellan Health Inc.	Health Plan	1,013,956	Hacking/IT Incident
Dental Care Alliance, LLC	Business Associate	1,004,304	Hacking/IT Incident
Luxottica of America Inc.	Business Associate	829,454	Hacking/IT Incident
Northern Light Health	Business Associate	657,392	Hacking/IT Incident
Health Share of Oregon	Health Plan	654,362	Theft
Florida Orthopaedic Institute	Healthcare Provider	640,000	Hacking/IT Incident
Elkhart Emergency Physicians, Inc.	Healthcare Provider	550,000	Improper Disposal
Aetna ACE	Health Plan	484,157	Hacking/IT Incident
Saint Luke’s Foundation	Healthcare Provider	360,212	Hacking/IT Incident
NorthShore University HealthSystem	Healthcare Provider	348,746	Hacking/IT Incident
SCL Health – Colorado	Healthcare Provider	343,493	Hacking/IT Incident
AdventHealth	Healthcare Provider	315,811	Hacking/IT Incident
Nuvance Health	Healthcare Provider	314,829	Hacking/IT Incident
Magellan Rx Management	Business Associate	314,704	Hacking/IT Incident
The Baton Rouge Clinic	Healthcare Provider	308,169	Hacking/IT Incident
Allegheny Health Network	Healthcare Provider	299,507	Hacking/IT Incident
Northeast Radiology	Healthcare Provider	298,532	Hacking/IT Incident

Main Causes of 2020 Healthcare Data Breaches

Hacking and other IT incidents dominated the healthcare data breach reports in 2020. 429 hacking/IT-related data breaches were reported in 2020, which account for 66.82% of all reported breaches and 91.99% of all breached records. These incidents include exploitation of vulnerabilities and phishing, malware, and ransomware attacks, with the latter having increased considerably in recent months.

A recent report from Check Point revealed there was a 71% increase in ransomware attacks on healthcare providers in October, and a further 45% increase in healthcare cyberattacks in the last two months of 2020. Some of the year’s largest and most damaging breaches to affect the healthcare industry in 2020 involved ransomware. In many cases, systems were taken out of action for weeks and patient services were affected. Ryuk, Sodinokibi (REvil), Conti, and Egregor ransomware have been the main culprits, with the healthcare industry heavily targeted during the pandemic.

Unauthorized access/disclosure incidents accounted for 22.27% of the year’s breaches and 2.69% of breached records. These incidents include the accessing of healthcare records my malicious insiders, snooping on medical records by healthcare workers, accidental disclosures of PHI to unauthorised individuals, and human error that exposes patient data.

Breach Type	Number of breaches	Records breached	Mean Records Breached	Median Records Breached
Hacking/IT Incident	429	26,949,956	62,820	8,000
Unauthorized Access/Disclosure	143	787,015	5,504	1,713
Theft	39	806,552	20,681	1,319
Improper Disposal	16	584,980	36,561	1,038
Loss	15	169,509	11,301	2,298

Location of Breached Protected Health Information

The increased use of encryption and cloud services for storing data have helped to reduce the number of loss/theft incidents, which used to account for the majority of reported breaches. Phishing attacks are still a leading cause of data breaches in healthcare and are often the first step in a multi-stage attack that sees malware or ransomware deployed.

Email account breaches were reported at a rate of more than 1 every two days in 2020, but email-related breaches took second spot this year behind breaches of network servers. Network servers often store large amounts of patient data and are a prime target for hackers and ransomware gangs.

While the majority of healthcare data breaches have involved electronic protected health information, a significant percentage of breaches in 2020 involved paper/film copies of protected health information which were obtained by unauthorized individuals, lost, or disposed of in an insecure manner.

Which Entities Suffered the Most Data Breaches in 2020?

The pie chart below shows the breakdown of HIPAA covered entities affected by data breaches of 500 or more records in 2020. Healthcare providers suffered the most breaches with 497 reported incidents. Business associates reported 73 data breaches, but it should be noted that in many cases a breach was experienced at the business associate, but the incident was reported by the covered entities affected. In total, 258 of the year’s breaches had some business associate involvement, which is 40.19% of all breaches. There were 70 breaches reported by health plans, and 2 breaches reported by healthcare clearinghouses.

2020 Healthcare Data Breaches by State

South Dakota, Vermont, Wyoming residents survived 2020 without experiencing any healthcare data breaches, but there were breaches reported by entities based in all other states and the District of Columbia.

California was the worst affected state with 51 breaches, followed by Florida and Texas with 44, New York with 43, and Pennsylvania with 39.

State	No. Breaches	State	No. Breaches	State	No. Breaches	State	No. Breaches
California	51	Virginia	18	New Jersey	9	Kansas	3
Florida	44	Indiana	17	South Carolina	9	Nebraska	3
Texas	44	Massachusetts	17	Washington	9	West Virginia	3
New York	43	Maryland	16	Delaware	8	District of Columbia	2
Pennsylvania	39	North Carolina	16	Utah	8	Idaho	2
Ohio	27	Colorado	14	Louisiana	6	Nevada	2
Iowa	26	Missouri	14	Maine	6	Oklahoma	2
Michigan	21	Arizona	12	New Mexico	6	Mississippi	1
Georgia	20	Arkansas	12	Oregon	5	Montana	1
Illinois	20	Kentucky	12	Hawaii	4	New Hampshire	1
Minnesota	20	Wisconsin	12	Alabama	3	North Dakota	1
Connecticut	19	Tennessee	10	Alaska	3	Rhode Island	1

HHS HIPAA Enforcement in 2020

2020 was a busy year in terms of HIPAA enforcement. The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, conducted 19 HIPAA compliance investigations that resulted in financial penalties. More penalties were agreed with HIPAA covered entities and business associates in 2020 than in any other year since OCR started enforcing HIPAA compliance. $13,554,900 was paid in penalties across the 19 cases.

It can take several years from the start of an investigation before a financial penalty is levied. Some of the largest settlements of the year date back to breaches that were experienced in 2015 or earlier; however, the large increase in financial penalties in 2020 is largely due to a HIPAA enforcement drive launched by OCR in late 2019 to tackle noncompliance with the HIPAA Right of Access. There were 11 settlements reached with healthcare providers in 2020 to resolve cases where individuals were not provided with timely access to their medical records.

You can view a summary of OCR’s 2020 HIPAA enforcement actions in this post.

State AG HIPAA Enforcement in 2020

OCR is not the only enforcer of HIPAA compliance. State attorney generals also have the authority to take action against entities found not to be in compliance with the HIPAA Rules. There has been a trend for state attorneys general to work together and pool resources in their legal actions for noncompliance with the HIPAA Rules. In 2020, two multi-state actions were settled with HIPAA covered entities/business associates to resolve violations of the HIPAA Rules.

The health insurer Anthem Inc. settled a case that stemmed from its 78.8 million-record data breach in 2015 and paid financial penalties totalling $48.2 million to resolve multiple potential violations of HIPAA and state laws.

CHSPSC LLC, a Tennessee-based management company that provides services to subsidiary hospital operator companies and other affiliates of Community Health Systems, also settled a multi-state action and paid a financial penalty of $5 million to resolve alleged HIPAA violations. The case stemmed from a 2014 data breach that saw the ePHI of 6,121,158 individuals stolen by hackers.

About This Report

The Health Insurance Portability and Accountability Act (HIPAA) requires all healthcare data breaches to be reported to the HHS’ Office for Civil Rights. A summary of breaches of 500 or more records is published by the HHS Office for Civil Rights. This report was compiled using data on the HHS website on 01/19/21 and includes data breaches currently under investigation and archived cases.

The post 2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020 appeared first on HIPAA Journal.

December 2020 Healthcare Data Breach Report

Posted January 18, 2021 by HIPAA Journal

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average.

There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 565 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.

December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached.

Largest Healthcare Data Breaches Reported in December 2020

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Type of Breach	Cause
MEDNAX Services, Inc.	FL	Business Associate	1,290,670	Hacking/IT Incident	Phishing attack
Dental Care Alliance, LLC	FL	Business Associate	1,004,304	Hacking/IT Incident	Unspecified hacking incident
Aetna ACE	CT	Health Plan	484,157	Hacking/IT Incident	Phishing attack (business associate)
Allegheny Health Network	PA	Healthcare Provider	299,507	Hacking/IT Incident	Ransomware attack (Blackbaud)
AMITA Health	IL	Healthcare Provider	261,054	Hacking/IT Incident	Ransomware attack (Blackbaud)
Community Eye Care, LLC	NC	Health Plan	149,804	Hacking/IT Incident	Email account breach
GenRx Pharmacy	AZ	Healthcare Provider	137,110	Hacking/IT Incident	Ransomware attack
Wilmington Surgical Associates, P.A.	NC	Healthcare Provider	114,834	Hacking/IT Incident	Ransomware attack
Agency for Community Treatment Services, Inc.	FL	Healthcare Provider	73,825	Hacking/IT Incident	Ransomware attack
Sonoma Valley Healthcare District	CA	Healthcare Provider	69000	Hacking/IT Incident	Ransomware attack

There were two healthcare data breaches reported in December that each impacted more than 1 million individuals. The largest breach was a phishing attack on the Florida-based business associate, MEDNAX Services, Inc. MEDNAX provides revenue cycle management and other administrative services to its affiliated physician practice groups. Hackers gained access to its Microsoft Office 365-hosted email system after employees responded to phishing emails. The compromised accounts contained the protected health information of 1,290,670 patients of its clients.

Dental Care Alliance is a Sarasota, FL-based dental support organization with more than 320 affiliated dental practices in 20 U.S. states. Little information has been released about the exact nature of the cyberattack, other than hackers gaining access to its systems and viewing files containing patient information.

Causes of December 2020 Healthcare Data Breaches

Ransomware gangs continue to target healthcare organizations and attacks have increased considerably in recent months. 5 of the worst data breaches reported in December involved ransomware, as did many of the smaller breaches. Several healthcare providers have only just reported being affected by the ransomware attack on Blackbaud Inc., which was discovered by the cloud service provide in May 2020.

Phishing continues to be a major cause of healthcare data breaches. There were 13 data breaches involving unauthorized accessing of email accounts, the majority of which used credentials stolen in phishing attacks. While most of the month’s breaches involved unauthorized accessing of electronic protected health information, 17.75% of the month’s breaches involved paper records and films, highlighting the importance of also protecting physical records.

33 hacking/IT incidents were reported to OCR in December 2020. Those incidents accounted for 98.39% of the month’s breached records (4,173,519 records). An average of 126,470 records were breached per incident with a median breach size of 8,000 records per incident.

There were 21 unauthorized access/disclosure incidents reported to OCR which involved a total of 57,837 records. The average breach size was 2,754 records and the median breach size was 1,020 records.

There were 7 theft and loss incidents reported (5 theft/2 loss). The average breach size was 1,392 records and the median breach size was 856 records. There was also one incident involving the improper disposal of 501 records.

Entities Reporting Data Breaches in December 2020

Healthcare providers were the worst affected covered entity in December 2020 with 39 breaches reported, but there was a major increase in data breaches reported by health plans. 17 health plans reported breaches of 500 or more records in December, which is a 183% increase from November.

There were 6 data breaches reported by business associates of HIPAA covered entities, but 40% of the month’s breaches (25) had some business associate involvement. In many cases, the breach was experienced by the business associate but was reported by the covered entity.

December 2020 Healthcare Data Breaches by State

HIPAA covered entities and business associates in 58% of U.S. states reported data breaches in December. Florida was the worst affected of the 29 states with 9 reported data breaches. Pennsylvania also had a particularly bad month with 7 reported breaches, followed by Missouri and Texas with 4, and Illinois, North Carolina, and Tennessee with 3.

There were two breaches reported in each of Arizona, Connecticut, Georgia, Massachusetts, Minnesota, Ohio, and Wisconsin, and one breach reported in each of Arkansas, California, Colorado, Delaware, Indiana, Iowa, Kentucky, Louisiana, Maine, Mississippi, Nebraska, Oregon, Utah, Virginia, and West Virginia.

HIPAA Enforcement in December 2020

2020 has been a busy year in terms of HIPAA enforcement. More financial penalties were imposed on HIPAA covered entities and their business associates to resolve potential HIPAA violations in 2020 than in any other year since the HHS was given the authority to enforce HIPAA compliance. 19 settlements were reached to resolve cases where HIPAA Rules appeared to have been violated.

OCR announced one further financial penalty in December – The 13^th financial penalty under its HIPAA Right of Access initiative. Peter Wrobel, M.D., P.C., dba Elite Primary Care, agreed to pay OCR a $36,000 to resolve a case involving the failure to provide two patients with timely access to their medical records.

You can read more about 2020 HIPAA enforcement in our end of year summary.

The post December 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty

Posted January 17, 2021 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced the health insurer Excellus Health Plan has agreed to pay a $5.1 million penalty to settle a HIPAA violation case stemming from a 2015 data breach that affected 9.3 million individuals.

The breach in question was discovered by Excellus Health Plan in 2015, the same year that massive data breaches were discovered by the health insurers Anthem Inc. (78.8 million records) and Premera Blue Cross (10.6 million records). All three entities have now settled breach investigations with OCR and have paid substantial financial penalties.

Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, serves individuals in upstate and western New York. In August 2015, the health insurer discovered hackers had gained access to its computer systems. The breach investigation revealed access to its systems was first gained around December 23, 2013 and continued until May 11, 2015. The breach was reported to OCR on September 9, 2015.

The hackers installed malware on its systems, performed reconnaissance, and were found to have accessed the healthcare data of around 7 million Excellus Health Plan members and approximately 2.5 million members of Lifetime Healthcare, its non-BlueCross subsidiary. The information accessed by the hackers included names, contact information, dates of birth, Social Security numbers, health plan ID numbers, claims data, financial account information, and clinical treatment information.

OCR launched an investigation of the breach in June 2016 to determine whether Excellus Health Plan was in compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The investigation identified five standards of the HIPAA Rules where Excellus was potentially noncompliant.

OCR determined the health plan had failed to conduct an accurate and thorough organization-wide risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) of its members. Sufficient measures had not been implemented to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and technical policies and procedures that only allow authorized persons and software programs to access systems containing ePHI were insufficient. As a result of these issues, unauthorized individuals gained access to the PHI of 9,358,891 of its members. It took Excellus more than 18 months to discover its systems had been breached. OCR found policies and procedures requiring regular reviews of information system activity to be lacking.

The financial penalty was agreed with OCR to avoid further investigation and formal proceedings, and the settlement was reached with no admission of liability or wrongdoing. In addition to paying the financial penalty, Excellus is required to adopt a corrective action plan that covers all areas of potential noncompliance identified by OCR during the investigation. Excellus will also be monitored closely by OCR for 2 years to ensure continued compliance with the HIPAA Rules.

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” said OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”

This is the second HIPAA enforcement action to be announced by OCR in 2021. Earlier this month, OCR said a $200,000 settlement had been reached with Banner Health to resolve potential HIPAA Right of Access violations. The Excellus settlement comes just a few hours after the 5^th Circuit Court of Appeals vacated a $4.3 million Civil Monetary Penalty imposed by OCR on University of Texas M.D. Anderson Cancer Center that stemmed from three incidents involving the loss/theft of portable devices containing ePHI between 2012 and 2013.

The two HIPAA settlements in January follow on from a record year of HIPAA enforcement that saw 19 financial penalties paid by HIPAA covered entities and business associates to resolve potential violations of HIPAA Rules.

The post Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty appeared first on HIPAA Journal.

Hackers Leak Data Stolen in European Medicines Agency Cyberattack

Posted January 14, 2021 by HIPAA Journal

In December, the European Medicines Agency (EMA) suffered a cyberattack and hackers gained access to third party documents. Some of the data stolen in the attack has now been leaked online.

The EMA is the agency responsible for regulating the assessments and approvals of COVID-19 vaccines, treatments, and research in the EU. The EMA had previously issued an update on investigation into the cyberattack and said only one IT application had been compromised. The EMA said all third parties had been notified about the attack, although those companies were not named. In the updates on the investigation, the EMA said the primary goal of the attackers was to gain access to COVID-19 medicine and vaccine information. While it was clear that documents had been accessed, the EMA has only just confirmed that data was exfiltrated by the attackers.

Prior to the cyberattack, BioNTech and Pfizer submitted their vaccine data to the EMA as part of the approval process and the server accessed by the hackers contained documents related to the regulatory submissions by Pfizer and BioNTech. Pfizer and BioNTech issued a joint statement in December confirming documents relating to their BNT162b2 vaccine had been unlawfully accessed. Reuters has reported Moderna data was also compromised in the attack, but that has yet to be confirmed by Moderna.

In an update issued on January 12, 2021, the EMA confirmed data had been exfiltrated by the attackers and some of the unlawfully accessed documents related to COVID-19 medicines had been leaked on the Internet. The EMA also confirmed for the first time that some personal data had also been compromised.

Neither the EMA, BioNTech, nor Pfizer have disclosed which documents were leaked or what information has been made public; however, Bleeping Computer reported data stolen in the attack had been made available on several hacking forums. Several sources in the cybersecurity intelligence community had confirmed that the leaked data included screenshots of emails, peer review data, and several PDF files, Word documents, and PowerPoint presentations.

“The agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorized access,” said the EMA. The EMA is working closely with law enforcement agencies to remove and secure the leaked data and identify the individuals responsible for the attack. It is currently unclear who was responsible for the cyberattack and if there is a nation-state link.

The investigation into the attack is continuing, but the EMA has confirmed that there will be no impact on the timeline for the review and approval process for the vaccines.

The post Hackers Leak Data Stolen in European Medicines Agency Cyberattack appeared first on HIPAA Journal.

2020-2021 HIPAA Violation Cases and Penalties

Posted January 13, 2021 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules.

While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for violations of multiple HIPAA Rules that impacted large numbers of individuals. The $5,100,000 penalty, imposed on Excellus Health Plan, was so large because there were multiple violations of the HIPAA Rules, over multiple years, that led to a breach of the ePHI of 9,358,891 individuals.

Penalties for Noncompliance with the HIPAA Right of Access

In late 2019, OCR announced a new HIPAA enforcement initiative to tackle non-compliance with the Right of Access standard of the HIPAA Privacy Rule. Since then, OCR has been rigorously enforcing compliance with the HIPAA Right of Access and as of December 2021, has imposed 25 penalties for HIPAA Right of Access violations totaling $1,564,650. The fines range from $3,500 to $200,000. There have been 24 settlements and one civil monetary penalty, with many of the fines imposed on small healthcare providers.

The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set. When a request is received from an individual or their personal representative, the records must be provided within 30 days. A reasonable, cost-based fee may be charged for providing a copy of the requested records. A request for access to an individual’s health records may be denied, but only in very limited circumstances.

OCR investigates complaints from individuals who allege they have been denied access to their health records, have not received records within 30 days, or have been charged excessive amounts for copies of their records. The financial penalties imposed by OCR in 2020 for HIPAA Right of Access violations ranged from $15,000 to $160,000 and stemmed from refusals to provide copies of records or long delays. In many cases, records were only provided after OCR intervened.

2021 HIPAA Right of Access Enforcement Actions

Covered Entity	Penalty	Outcome
Banner Health	200,000	Settlement
Rainrock Treatment Center LLC (dba monte Nido Rainrock)	160,000	Settlement
Dr. Robert Glaser	100,000	Civil Monetary Penalty
Children’s Hospital & Medical Center	80,000	Settlement
Renown Health	75,000	Settlement
Sharpe Healthcare	70,000	Settlement
Arbour Hospital	65,000	Settlement
Advanced Spine & Pain Management	32,150	Settlement
Denver Retina Center	30,000	Settlement
Village Plastic Surgery	30,000	Settlement
Wake Health Medical Group	10,000	Settlement

Other 2021 HIPAA Violation Penalties

Covered Entity	Penalty	Outcome
Excellus Health Plan	$5,100,000	Settlement
AEON Clinical Laboratories (Peachstate)	$25,000	Settlement

Only two HIPAA enforcement actions in 2021 were not the result of HIPAA Right of Acess violations.

Excellus Health Plan

Rochester, New York-based Excellus Health Plan, a member of the Blue Cross Blue Shield Association, was investigated to identify potential HIPAA compliance issues following a report of a data breach of 9,358,891 records in 2015. It was one of three mega data breaches to be reported by health plans that year, Anthem Inc and Premera Blue Cross being the other two, both of which had settled their cases and paid sizeable penalties.

Excellus discovered the breach in August 2015, with its investigation revealing hackers had access to its systems between December 23, 2013, and May 11, 2015. The breach was reported to OCR on September 9, 2015. Malware had been installed which allowed the hackers to exfiltrate the data of around 7 million Excellus Health Plan members and approximately 2.5 million members of Lifetime Healthcare, its non-BlueCross subsidiary, which included names, contact information, dates of birth, Social Security numbers, health plan ID numbers, claims data, financial account information, and clinical treatment information.

OCR’s investigation uncovered multiple HIPAA violations, including the failure to conduct an accurate and thorough organization-wide risk analysis, the failure to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a lack of technical policies and procedures to limit data access to authorized persons and software programs. Excellus chose to settle the case and paid a $5,100,000 penalty and agreed to implement a comprehensive Corrective Action Plan to address all areas of non-compliance.

Peachstate Health Management LLC, dba AEON Clinical Laboratories

The enforcement action against Peachstate Health Management is notable because this was the first OCR investigation to result in a financial penalty for HIPAA violations identified in a company that was not the initial subject of the investigation.

OCR launched an investigation after receiving a report from the Department of Veteran Affairs in 2015 about a data breach involving its business associate, Authentidate Holding Corporation (AHC). AHC managed the VA’s Telehealth Services Program and suffered a data breach. While investigating, OCR learned that AHC had entered into a reverse merger with Peachstate Health Management on January 27, 2016, which saw Peachstate acquired by AHC. Peachstate is a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR then launched an investigation of Peachstate to assess HIPAA Privacy and Security Rule compliance and found multiple violations of the HIPAA Rules. OCR identified multiple HIPAA Security Rule failures, including risk assessment, risk management, audit controls failures, as well as the failure to maintain documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000, and a corrective action plan was agreed to resolve the HIPAA violations.

2020 HIPAA Right of Access Enforcement Actions

Covered Entity	Penalty	Outcome
Dignity Health, dba St. Joseph’s Hospital and Medical Center	$160,000	Settlement
NY Spine	$100,000	Settlement
Beth Israel Lahey Health Behavioral Services	$70,000	Settlement
University of Cincinnati Medical Center	$65,000	Settlement
Housing Works, Inc.	$38,000	Settlement
Peter Wrobel, M.D., P.C., dba Elite Primary Care	$36,000	Settlement
Riverside Psychiatric Medical Group	$25,000	Settlement
Dr. Rajendra Bhayani	$15,000	Settlement
All Inclusive Medical Services, Inc.	$15,000	Settlement
Wise Psychiatry, PC	$10,000	Settlement
King MD	$3,500	Settlement

Other 2020 HIPAA Violation Penalties

The remaining HIPAA violation penalties issued in 2020 were issued for non-compliance with several provisions of the HIPAA Rules. The penalty amounts reflect the seriousness of the violations, the harm caused, the number of individuals affected, the level of cooperation with OCR, the voluntary actions taken to address the violations, and the ability of the entity to pay. In each of the HIPAA violation cases below, OCR discovered multiple violations of the HIPAA Rules.

Covered Entity	Amount	Outcome
Premera Blue Cross	$6,850,000	Settlement
CHSPSC LLC	$2,300,000	Settlement
Athens Orthopedic Clinic	$1,500,000	Settlement
Lifespan Health System Affiliated Covered Entity	$1,040,000	Settlement
Aetna	$1,000,000	Settlement
City of New Haven, CT	$202,400	Settlement
Steven A. Porter, M.D	$100,000	Settlement
Metropolitan Community Health Services dba Agape Health Services	$25,000	Settlement

Second Largest HIPAA Violation Penalty for Premera Blue Cross

The largest HIPAA violation penalty of 2020 was imposed on the health insurer Premera Blue Cross. Premera Blue Cross was investigated over a data breach in which the protected health information of 10,466,692 individuals was obtained by hackers.

During the investigation, OCR discovered multiple potential violations of the HIPAA Security Rule. Premera Blue Cross had failed to conduct a comprehensive risk analysis, had not reduced risks to the confidentiality, integrity, and availability of ePHI to a reasonable and appropriate level, and had implemented insufficient hardware and software controls.

Premera Blue Cross agreed to pay a financial penalty of $6,850,000 to resolve the case and adopted a corrective action plan to address all areas of noncompliance.

In addition to the OCR penalty, Premera Blue Cross settled a multi-state action for $10 million and a class action lawsuit filed on behalf of victims of the breach for $74 million.

The financial penalty was the second-largest ever to be issued by OCR. The largest HIPAA violation penalty – $16 million – was paid by Anthem Inc. in 2018 and resolved an investigation into its 78.8 million record data breach that was discovered in 2015. Following on from that settlement, in 2020 Anthem Inc settled a multi-state action and paid $48.2 million in penalties. Anthem also settled a class action lawsuit filed on behalf of victims of the breach in 2018 for $115 million.

CHSPSC LLC

CHSPSC LLC, a Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, suffered a cyberattack in April 2014 in which compromised admin credentials were used by hackers to gain access to its systems. The hackers stole the ePHI of 6,121,158 individuals.

OCR investigated and found systemic noncompliance with the HIPAA Security Rule. CHSPSC had failed to conduct a comprehensive risk analysis, was not conducting information system activity reviews, and had implemented insufficient access controls and security incident response procedures. When notified about the cyberattack by the FBI, it took CHSPSC two months to respond.

CHSPSC LLC settled the case, paid a $2,300,000 penalty, and adopted a corrective action plan to address all areas of noncompliance. Community Health Systems and CHSPSC LLC also settled a multi-state action with 28 state Attorneys General over the breach for $5,000,000.

Athens Orthopedic Clinic

The Athens, GA-based healthcare provider Athens Orthopedic Clinic suffered a cyberattack in 2016 in which a hacker stole a database containing the PHI of 208,557 patients and demanded payment not to release the stolen data. When payment was not received the database was published.

OCR’s investigation into the breach uncovered systemic noncompliance with the HIPAA Rules. Athens Orthopedic Clinic had failed to conduct a comprehensive risk analysis, had not implemented security procedures to reduce risks to ePHI to a reasonable and appropriate level, had failed to implement appropriate hardware, software, and procedures for recording and analyzing information system activity, and did not implement HIPAA policies until August 2016.

OCR also found the clinic had not entered into business associate agreements with three vendors and did not provide HIPAA Privacy Rule training to the entire workforce until January 15, 2018.

Athens Orthopedic Clinic agreed to settle the case, paid a $1.5 million penalty, and adopted a corrective action plan to address all areas of noncompliance.

Lifespan Health System Affiliated Covered Entity

Lifespan Health System Affiliated Covered Entity is a Rhode Island not-for-profit health system with many healthcare provider affiliates in the state. In February 2017, an unencrypted laptop computer was stolen from an employee’s vehicle. The laptop contained the ePHI of 20,431 patients.

OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan had conducted a risk analysis and determined encryption was required for its mobile devices due to the high risk of data exposure but failed to implement encryption on mobile devices. The movement of the devices in and out of its facilities was not tracked and there was no comprehensive inventory of mobile devices. OCR also found that there was no business associate agreement between Lifespan Corporation and Lifespan ACE.

Lifespan ACE agreed to settle the case, paid a $1,040,000 penalty, and adopted a corrective action plan to address all areas of noncompliance.

Aetna

Aetna Life Insurance Company and its affiliated covered entity (Aetna) were investigated by OCR after reporting three data breaches in 2017. The first breach involved the exposure of the protected health information of 5,002 plan members over the Internet, and the other two breaches involved mailings in which sensitive PHI could be viewed through the windows of the envelopes. In the first mailing to 11,887 individuals the words ‘HIV medication’ could be viewed through the windows of the envelopes. In the second mailing to 1,600 individuals, the name and logo of an atrial fibrillation study could be viewed.

OCR determined Aetna had not performed periodic technical and non-technical evaluations of operational changes affecting the security of their ePHI, procedures had not been implemented to verify the identity of individuals or entities looking to access their ePHI, disclosures of ePHI had not been limited to the minimum necessary information to achieve the purpose for the disclosures, and there was a lack of appropriate administrative, technical, and physical safeguards to ensure the privacy of ePHI.

Aetna agreed to settle the case, paid a $1 million penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Other penalties related to be breach include a $1.15 million settlement with the New York Attorney General, a $935,000 settlement with the California Attorney General, and similar settlements with Connecticut ($99,959), the District of Columbia ($175,000), and New Jersey ($365,211.59). A class action lawsuit filed on behalf of victims of the breach was settled for $17.2 million.

City of New Haven, CT

In January 2017, the City of New Haven in Connecticut reported a data breach of the ePHI of 498 individuals to OCR. The city had terminated an employee in 2016 during her probationary period. The former employee returned to the New Haven Health Department with her union representative after she had been terminated, used her work key to access her old office, and locked herself inside. She used her login credentials to access a work computer and copied data onto a USB drive before leaving.

In addition to failing to terminate the former employee’s access rights, OCR discovered a comprehensive risk analysis had not been performed, the city had failed to implement HIPAA Privacy Rule policies, and had not issued unique IDs to allow system activity to be tracked.

The City of New Haven settled the case, paid a $202,400 financial penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Steven A. Porter, M.D

The medical practice of Steven A. Porter, M.D in Ogden, UT provides gastroenterological services to more than 3,000 patients. On November 13, 2013, OCR received a breach notification alleging Dr. Porter’s electronic medical record company was impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until a $50,000 bill was paid.

OCR investigated and found serious violations of the HIPAA Security Rule at the practice. At the time of the investigation, a risk analysis had never been performed and risks to the confidentiality, integrity, and availability of ePHI had not been managed and reduced to a reasonable and acceptable level. The practice had also allowed Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on behalf of the practice, without entering into a business associate agreement.

Dr. Porter settled the case, paid a $100,00 financial penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Metropolitan Community Health Services / Agape Health Services

Metropolitan Community Health Services is a Washington, NC-based Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina.

In June 2011, Metro notified OCR about a breach of the PHI of 1,263 patients. OCR conducted a compliance review and identified longstanding, systemic noncompliance with the HIPAA Security Rule.

Prior to the breach, Metro had not implemented HIPAA Security Rule policies and procedures, had failed to conduct an accurate risk analysis, and had not provided security awareness training to its workforce for more than 16 years.

Metro settled the case, paid a $25,000 penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Further information on HIPAA Penalties

You can view a summary of the HIPAA violation penalties in previous years on this link.

The post 2020-2021 HIPAA Violation Cases and Penalties appeared first on HIPAA Journal.