HIPAA Breach News

January 2021 Healthcare Data Breach Report

Posted February 19, 2021 by HIPAA Journal

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day.

There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records.

Largest Healthcare Data Breaches Reported in January 2021

The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply patches for 7 years, which allowed unauthorized individuals to exploit the flaws and gain access to sensitive data.

Hendrick Health had a major data breach due to a ransomware attack; one of many reported by healthcare providers since September 2020 when ransomware actors stepped up their attacks on the healthcare sector. The County of Ramsey breach was also due to a ransomware attack at one of its technology vendors.

Email-based attacks such as business email compromise (BEC) and phishing attacks were common in January, and were the cause of 4 of the top ten breaches.

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach	Location of Breached Information
Florida Healthy Kids Corporation	Health Plan*	3,500,000	Hacking/IT Incident: Website and Web Application Hack	Network Server
Hendrick Health	Healthcare Provider	640,436	Hacking/IT Incident: Ransomware	Network Server
Roper St. Francis Healthcare	Healthcare Provider	189,761	Hacking/IT Incident: Phishing attack	Email
Precision Spine Care	Healthcare Provider	20,787	Hacking/IT Incident: BEC attack	Email
Walgreen Co.	Healthcare Provider	16,089	Unauthorized Access/Disclosure: Unknown	Email
The Richards Group	Business Associate	15,429	Hacking/IT Incident: Phishing attack	Email
Florida Hospital Physician Group Inc.	Healthcare Provider	13,759	Hacking/IT Incident: EHR System	Electronic Medical Record
Managed Health Services	Health Plan*	11,988	Unauthorized Access/Disclosure: Unconfirmed	Paper/Films
Bethesda Hospital	Healthcare Provider	9,148	Unauthorized Access of EMR by employee	Electronic Medical Record
County of Ramsey	Healthcare Provider*	8,687	Hacking/IT Incident: Ransomware	Network Server

*Breach reported by covered entity but occurred at a business associate.

Causes of January 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to cause the majority of healthcare data breaches. January saw 20 hacking/IT incidents reported, which accounted for 62.5% of the month’s data breaches. The protected health information of 4,413,762 individuals was compromised or exposed in those breaches – 98.8% of all breached records in January. The average breach size was 220,688 records and the median breach size was 2,464 records.

There were 11 reported unauthorized access and disclosure incidents involving 50,996 records. The average breach size was 4,636 records and the median breach size was 1,680 records.

There was one reported incident involving the loss of an unencrypted laptop computer containing 2,340 records, but no theft or improper disposal incidents.

As the bar chart below shows, email is the most common location of breached PHI, mostly due to the high number of phishing attacks. This was closely followed by network server incidents, which mostly involve malware or ransomware.

January 2021 Healthcare Data Breaches by Entity Type

Healthcare providers were the worst affected covered entity type with 23 reported data breaches followed by health plans with 6 reported breaches. Three data breaches were reported by business associates of HIPAA covered entities, although a further 7 occurred at business associates but were reported by the covered entity, including the largest data breach of the month.

The number of breaches reported by business associates have been increasing in recent months. These incidents often involve multiple covered entities, such as the data breach at Blackbaud in 2020 which resulted involved the data of more than 10 million individuals across around four dozen healthcare organizations. A study by CI Security found 75% of all breached healthcare records in the second half of 2020 were due to data breaches at business associates.

Where Did the Data Breaches Occur?

January’s 32 data breaches were spread across 18 states, with Florida the worst affected with 6 reported breaches. There were 3 breaches reported by entities in Texas and Wyoming, and 2 reported in each of Louisiana, Massachusetts, and Minnesota.

Illinois, Indiana, Maryland, Missouri, Nevada, North Carolina, Ohio, Pennsylvania, South Carolina, Vermont, Virginia, and Washington each had 1 breach reported.

HIPAA Enforcement Activity in January 2021

2020 was a record year for HIPAA enforcement actions with 19 settlements reached to resolve HIPAA cases, and the enforcement actions continued in January with two settlements reached with HIPAA covered entities to resolve violations of the HIPAA Rules.

Excellus Health Plan settled a HIPAA compliance investigation that was initiated following a report of a breach of 9,358,891 records in 2015. OCR investigators identified multiple potential violations of the HIPAA Rules, including a risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. Excellus Health Plan settled the case with no admission of liability and paid a $5,100,000 financial penalty.

OCR continued with its crackdown of noncompliance with the HIPAA Right of Access with a $200,000 financial penalty for Banner Health. OCR found two Banner Health affiliated covered entities had failed to provide a patient with timely access to medical records, with both patients having to wait several months to receive their requested records.

The post January 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack

Posted February 19, 2021 by HIPAA Journal

Wilmington Surgical Associates in North Carolina is facing a class action lawsuit over a Netwalker ransomware attack and data breach that occurred in October 2020.

As is now common in ransomware attacks, files were exfiltrated prior to the deployment of ransomware. In this case, the Netwalker ransomware gang stole 13GB of data from two Wilmington Surgical Associates’ servers that were used for administration purposes. Some of the stolen was published on the threat actors’ data leak site where it could be accessed by anyone.

The leaked data was spread across thousands of files and included financial information related to the practice, employee information, and patient data such as photographs, scanned documents, lab test results, Social Security numbers, health insurance information, and other sensitive patient information.

Wilmington Surgical Associates sent notifications to affected individuals in December 2020 and reported the data breach to the HHS’ Office for Civil Rights on December 17, 2020 as affecting 114,834 patients.

The lawsuit – Jewett et al. v. Wilmington Surgical Associates – was filed by Rhine Law Firm; Morgan & Morgan; and Mason Lietz & Klinger on February 10, 2021 and was recently removed to the US District Court for the Eastern District of North Carolina.

Plaintiffs Katherine Teal, Sherry Bordeaux, and Philip Jewett allege in the lawsuit that their sensitive personal and health information is now in the hands of cybercriminals, which places them at an elevated risk of identity theft and fraud and other damages such as the lowering of credit scores and higher interest rates. The plaintiffs also allege they have suffered ascertainable losses as a result of the security incident in terms of out-of-pocket expenses and time spent remediating the effects of the data breach.

The lawsuit alleges Wilmington Surgical Associates was negligent for failing to adequately safeguard patient data when it had been put on notice about the elevated risk of ransomware attacks. In addition, it is alleged that the North Carolina healthcare provider failed to adequately monitor its systems for network intrusions and failed to provide timely breach notifications to patients and adequate information on the types of information compromised in the attack.

The plaintiffs seek reimbursement of out-of-pocket expenses, compensation for time spent dealing with the aftereffects of the breach, restitution, injunctive relief, and adequate credit monitoring services for breach victims. The lawsuit also requires the courts to order Wilmington Surgical Associates to improve data security and undergo annual security audits.

The post Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack appeared first on HIPAA Journal.

Grand River Medical Group Email Breach Impacts 34,000 Patients

Posted February 18, 2021 by HIPAA Journal

Grand River Medical Group in Dubuque, OH has discovered an unauthorized individual gained access to the email account of an employee and may have viewed or obtained the protected health information of 34,000 patients.

Upon discovery of the breach, a password reset was performed to prevent any further unauthorized access and an internal investigation was launched to determine whether any other systems were breached. The Grand River Medical Group IT team confirmed that only one email account was compromised and no other systems were accessed.

Third-party breach response experts were engaged to conduct a forensic analysis to determine whether any patient information in the email account was viewed or exfiltrated. It was not possible to rule out data theft, although no evidence was found to indicate patient data was stolen in the attack.

The information in the email account varied from patient to patient and included one or more of the following types of protected health information in addition to patient names: Address, date of birth, patient’s balance and balance type, visit type, claim amount and status code, medications, and guarantor’s name. Some Social Security numbers were also exposed.

Notifications were sent to affected patients between February 8 and February 11, 2021. Affected individuals have been offered a complimentary 12-month membership to credit monitoring and identity theft recovery services through MyIDCare, which includes a $1,000,000 identity theft insurance policy.

PHI of 15,600 Patients Potentially Compromised in Granite Wellness Centers Ransomware Attack

Granite Wellness Centers in Northern California suffered a ransomware attack on January 5, 2021 in which patient information was encrypted. The attack was detected while it was in progress and systems were taken offline to prevent the exfiltration of data.

A ransom remand was issued, but no ransom was paid. Granite Wellness Centers was able to restore all encrypted files from backups. A review of the systems affected revealed they contained patient data such as names, dates of birth, dates of service, treatment and health information, treatment provider, and health insurer name.

Granite Wellness Centers has not received any reports that indicate patient information has been misused; however, affected individuals have been advised to monitor their accounts and explanation of benefits statements for suspicious activity. Additional safeguards are being implemented to prevent further cyberattacks and to secure data stored on its systems.

The PHI of up to 15,600 individuals was potentially compromised in the attack.

Texas Spine Consultants Security Breach Impacts 25,728 Patients

Texas Spine Consultants in Addison, TX has discovered a security incident which resulted in the inadvertent disclosure of the protected health information of 25,728 patients. The security incident occurred on December 2, 2020 and is still under investigation, but it does not appear that the disclosure was linked to hackers or criminal activity.

The information inadvertently disclosed was limited to patients’ names, dates of birth, and image scans. Texas Spine Consultants has notified affected individuals by mail and has provided information to help them protect themselves against fraudulent activity. Additional privacy and security measures have now been implemented to prevent further data breaches in the future.

Southern California Center for Anti-Aging Discovers Email Account Breach

The Southern California Center for Anti-Aging in Torrance, CA has discovered an unauthorized individual gained access to an employee’s email account and may have viewed or downloaded patient information.

The breach was detected on December 9, 2020 and access to the email account was immediately blocked. A review of the compromised account revealed it contained patient names along with limited clinical information about the care provided at the Southern California Center for Anti-Aging.

The Southern California Center for Anti-Aging has implemented additional security measures to prevent further breaches in the future and all affected individuals have been notified by mail.

PHI Potentially Obtained in Gastroenterology Consultants Hacking Incident

Gastroenterology Consultants in Reno, NV is notifying 2,500 patients about a data security incident that occurred on December 8, 2020. A hacker gained access to a server and potentially obtained files containing patient names, addresses, contact telephone numbers, and other personally identifiable information.

A forensic investigation was conducted by a third-party security firm and it appears that files were exfiltrated from the server. Additional cybersecurity measures have now been implemented to prevent further breaches in the future.

The post Grand River Medical Group Email Breach Impacts 34,000 Patients appeared first on HIPAA Journal.

Ransomware Gangs Leak Sensitive Data Stolen from Capital Medical Center and Rehoboth McKinley Christian Health Care Services

Posted February 17, 2021 by HIPAA Journal

Two more healthcare providers have suffered ransomware attacks in which sensitive information was exfiltrated and leaked online when the ransom was not paid.

The Conti ransomware gang has published data on its leak site which was allegedly obtained in an attack on Rehoboth McKinley Christian Health Care Services in New Mexico. The leaked data includes sensitive patient information including scanned patient ID cards, passports, driver’s license numbers, diagnoses, treatment information, and diagnostic reports.

It is unclear how many patients have had their PHI exposed so far. The Conti ransomware gang claims it has only published around 2% of the data stolen in the attack.

The latest data leak by the Conti ransomware gang follows similar leaks of the data stolen in the ransomware attacks on Leon Medical Centers in Florida and Nocona General Hospital in Texas.

The Avaddon ransomware gang has similarly published data on its leak site that was stolen in an attack on Capital Medical Center in Olympia in Washington. The gang has threatened to leak further data within the next few days if the ransom is not paid. The leaked data includes driver’s license numbers, patient documents, diagnosis and treatment information, insurance information, lab test results, prescriptions, provider names, and patient contact information.

According to Emsisoft, there are currently at least 17 ransomware gangs engaging in data exfiltration prior to file encryption, all of which threaten to release or sell the stolen data if the ransom is not paid. The latest Coveware ransomware report suggests data exfiltration occurs in around 70% of ransomware attacks. These double extortion attacks often see the ransom paid to prevent the release of stolen data, but there are signs that this tactic is becoming less effective due to a lack of trust that the threat groups will delete stolen data if the ransom is paid.

There have been several cases where payment has been made, only for further extortion demands to be made or for stolen data to still be published on leak sites.

Hacker Potentially Obtained Patient Data from Sutter Buttes Imaging Medical Group

Sutter Buttes Imaging Medical Group (SBIMG) in Yuba City, CA has discovered an unauthorized individual has gained access to third -party IT hardware used at its Yuba City imaging center and potentially viewed and obtained limited patient data.

In December 2020, SBIMG learned that a hacker exploited an unpatched vulnerability in IT hardware that was used to store and transmit information in connection with medical services provided to patients. Action was immediately taken to expel the hacker from its systems and secure patient data. An investigation into the incident revealed the hacker first gained access to the IT hardware in July 2019, and access remained possible until December 2020.

An investigation into the security breach showed the attacker had access to limited patient information such as names, dates of birth, imaging procedure performed, study date, study name, and internal patient/study numbers. No financial information, insurance information, or Social Security numbers were compromised.

SBIMG has corrected the vulnerability and other steps have been taken to improve security to prevent similar breaches in the future, including closing certain firewall ports. Third-party security experts have been engaged to assess system security and additional security controls are now being implemented.

All patients have been notified by mail and the breach has been reported to the HHS’ Office for Civil Rights. The incident has yet to appear on the HHS breach portal, so it is currently unclear exactly how many individuals have been affected.

The post Ransomware Gangs Leak Sensitive Data Stolen from Capital Medical Center and Rehoboth McKinley Christian Health Care Services appeared first on HIPAA Journal.

Email Error Results in Impermissible Disclosure of the PHI of 900 Campbell County Health Patients

Posted February 17, 2021 by HIPAA Journal

An email error by an employee of Campbell County Health (CCH) has resulted in the impermissible disclosure of the protected health information of 900 individuals. The Gillette, WY-based health system discovered on February 5, 2021 that an employee sent an email to a patient and attached an incorrect file.

The file contained patient names, account numbers, and their type of insurance. The email error was discovered within an hour of the email being sent and the recipient was immediately contacted and was told to securely delete the attachment. CCH officials provided instructions on how to ensure that the file was permanently deleted from the email account and all devices, and CCH has received satisfactory assurances that the file has now been permanently deleted and no further disclosures were made.

Affected individuals have been notified about the incident and internal policies are being revised to prevent similar incidents in the future. CCH has also provided further training to employees on best practices for protecting patient data.

UT Southwestern Medical Center Alerts Patients About Impermissible PHI Disclosure

UT Southwestern Medical Center in Dallas, TX is notifying 3,640 patients about an inappropriate disclosure of their names and email addresses to a third-party vendor. The information was shared with the third-party vendor in order to send invitations to a Kidney Cancer Program event. No other information was disclosed. All affected patients had previously received medical services through the UTSW Kidney Cancer Program.

The information was not further disclosed or compromised, but the sharing of the patient information was not permitted under HIPAA, hence the need to notify patients. UTSW Medical Center said, “UT Southwestern considers the protection of our patients’ privacy of utmost importance, and we deeply regret the occurrence of this incident and any worry, distress, or difficulty that it may cause.”

The post Email Error Results in Impermissible Disclosure of the PHI of 900 Campbell County Health Patients appeared first on HIPAA Journal.

21st Century Oncology Data Breach Settlement Receives Preliminary Approval

Posted February 16, 2021 by HIPAA Journal

A settlement proposed by 21st Century Oncology to resolve a November 2020 class action lawsuit has received preliminary approval from the court. The class action lawsuit was filed in District Court for the Middle District of Florida on behalf of victims of a 2015 cyberattack that potentially affected 2.2 million individuals.

21^st Century Oncology was notified about a breach of its systems by the Federal Bureau of Investigation on November 13, 2015. An unauthorized individual had gained access to its network and may have accessed or obtained one of its databases on October 3, 2015. The database contained patients’ names, diagnoses, treatment information, Social Security numbers, and insurance information. Notifications to affected individuals were delayed at the request of the FBI so as not to interfere with the investigation. Patients affected by the breach started to be notified in March 2016.

The Department of Health and Human Services’ Office for Civil Rights launched an investigation into the breach and found potential HIPAA violations. 21^st Century Oncology settled the case in December 2017 with no admission of liability and agreed to pay a $2.3 million penalty.

The class action lawsuit sought compensation for breach victims who suffered losses as a result of the breach, including reimbursement of out-of-pocket expenses, time spent attempting to remedy issues, and losses to identity theft and fraud.

Under the terms of the proposed settlement, all victims of the breach will be entitled to claim two years of credit monitoring and identity theft protection services through Total Identity, which may be deferred for up to two years.

In addition, the 21^st Century Oncology settlement will see breach victims reimbursed for default time spent remedying issues fairly traceable to the data breach, which is based on two hours at $20 per hour up to a maximum of $40. Alternatively, a claim can be made for documented time spent, up to 13 hours at $20 per hour to a maximum of $260.

Any individual who can provide proof of out-of-pocket expenses incurred as a result of the breach or documented fraud will be entitled to submit a claim up to $10,000.

All individuals notified about the breach in or around March 2016 are covered by the settlement and can submit a claim. The deadline for claiming is May 10, 2021. Any class member who wishes to object or exclude themselves from the settlement have until March 9, 2021 to do so.

While the court has granted preliminary approval of the settlement, final approval has not yet been granted. A fairness hearing has been scheduled for June 15, 2021.

The post 21st Century Oncology Data Breach Settlement Receives Preliminary Approval appeared first on HIPAA Journal.

Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation

Posted February 15, 2021 by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has fined Sharp HealthCare $70,000 for failing to provide a patient with timely access to his medical records. This is the sixteenth financial penalty to be agreed with OCR under the HIPAA Right of Access enforcement initiative that was launched in late 2019.

OCR received a complaint from a patient on June 11, 2019 that alleged Sharp Healthcare, doing business as Sharp Rees-Stealy Medical Centers (SRMC), failed to provide him with a copy of his medical records within 30 days, as is required by the HIPAA Privacy Rule.

The patient claimed to have made a request in writing on April 2, 2019 but had not been provided with the requested records after waiting more than 2 months. OCR investigated and provided technical assistance to SRMC on the HIPAA Right of Access provision of the HIPAA Privacy Rule and the requirement to send medical records to a third party if requested by a patient. OCR closed the complaint on June 25, 2019.

The same patient filed a second complaint with OCR on August 19, 2019 when the requested medical records had still not been provided. The complainant finally received the requested records on October 15, 2019, more than 6 months after the record request was initially made.

OCR determined the long delay in providing the requested records was in violation of 45 C.F.R. § 164.524 and the HIPAA violation warranted a financial penalty. Had the records been provided in a timely manner after receiving technical assistance, a financial penalty could have been avoided.

In addition to paying the $70,000 penalty, Sharp HealthCare has agreed to adopt a corrective action plan and will be monitored closely for compliance by OCR for 2 years. The corrective action plan requires Sharp HealthCare to develop, maintain, and revise, as necessary, policies and procedures covering patient requests for access to their medical records and training must be provided to the workforce on individuals’ right to access their own PHI.

In an announcement about the latest settlement, Acting OCR Director Robinsue Frohboese said, “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.”

The post Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation appeared first on HIPAA Journal.

Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers

Posted February 12, 2021 by HIPAA Journal

The Conti ransomware gang has dumped a large batch of healthcare data online that was allegedly stolen from Leon Medical Centers in Florida and Nocona General Hospital in Texas.

Leon Medical Centers suffered a Conti ransomware attack in early November 2020, which was initially reported to the HHS’ Office for Civil Rights on January 8, 2021 as affecting 500 individuals. Leon Medical Centers explained in its substitute breach notice that the incident involved the use of malware and the investigation confirmed the attackers accessed the personal and protected health information of certain patients.

It is unclear when the ransomware attack on Nocona General Hospital occurred, as notification letters do not appear to have been sent to affected individuals, no breach notice has been posted on its website, and the incident is not listed on the HHS’ Office for Civil Rights breach portal.

According to NBC, which spoke with an attorney representing the hospital, none of its systems appeared to have been breached, files were apparently not encrypted, and no ransom note had been identified by the hospital. The Conti leak site had around 20 files uploaded on February 3, 2021 which contained patient information and Databreaches.net reports that the site included more than 1,760 leaked files on February 10, most of which appeared to be old data. Databreaches.net was contacted by the hospital’s attorney who confirmed that the current systems used by the hospital had not been compromised, instead an old server was compromised that held files relating to patient or patient data transfers. The incident is still under investigation.

The theft of patient data prior to file encryption, often called double extortion, is now commonplace. According to the New Zealand cybersecurity firm Emsisoft, at the start of 2020 only one ransomware group was exfiltrating data prior to file encryption, but by the end of the year at least 17 ransomware groups were exfiltrating data prior to deploying ransomware.

This tactic increases the probability of the ransom being paid. Healthcare organizations may be able to recover files from backups, but they would need to pay the ransom to prevent the stolen data from being dumped on leak sites or sold to other threat actors.

There are signs, however, that this tactic is now proving to be less effective. A recent report by Coveware suggests trust has been eroded and more victims are choosing not to pay the ransom when they can recover their data from backups as there is no guarantee that stolen data will be deleted if the ransom is paid.

Coveware attributed the dramatic reduction in ransom payments in Q4, 2020 to victims choosing not to pay due to a lack of trust that in the attackers. “Coveware continues to witness signs that stolen data is not deleted or purged after payment. Moreover, we are seeing groups take measures to fabricate data exfiltration in cases where it did not occur,” explained Coveware, in its Q4 Ransomware Report.

The post Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers appeared first on HIPAA Journal.

Renown Health Pays $75,000 to Settle HIPAA Right of Access Case

Posted February 11, 2021 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) is continuing to crackdown on noncompliance with the HIPAA Right of Access. This week, OCR announced its fifteenth settlement to resolve a HIPAA Right of Access enforcement action.

Renown Health, a not-for-profit healthcare network in Northern Nevada, agreed to settle its HIPAA case with OCR to resolve potential violations of the HIPAA Right of Access and has agreed to pay a financial penalty of $75,000.

OCR launched an investigation after receiving a complaint from a Renown Health patient who had not been provided with an electronic copy of her protected health information. In January 2019, the patient submitted a request to Renown Health and asked for her medical and billing records to be sent to her attorney. After waiting more than a month for the records to be provided, the patient filed a complaint with OCR. It took Renown Health until December 27, 2019 to provide the requested records, almost a year after the initial request was made.

The HIPAA Privacy Rule (45 C.F.R. § 164.524) requires medical records to be provided to individuals within 30 days of a request being made. OCR determined that the delay in providing the requested records was in violation of this Privacy Rule provision.

In addition to paying the financial penalty, Renown Health has agreed to adopt a corrective action plan that requires written policies and procedures to be developed, maintained, and revised, as necessary, covering the HIPAA Right of Access. Training must be provided to the workforce on the policies and procedures, and a sanctions policy must be implemented and applied when workforce members fail to comply with the policies and procedures. OCR will monitor Renown Health for compliance with the HIPAA Right of Access for 2 years.

“Access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis,” said Acting OCR Director Robinsue Frohboese.

The settlement is the third to be announced by OCR in 2021 and follows a $200,000 settlement with Banner Health for similar HIPAA Right of Access violations and a $5,100,000 settlement with Excellus Health Plan to resolve multiple HIPAA violations that contributed to a 2015 data breach of 9,358,891 records.

The post Renown Health Pays $75,000 to Settle HIPAA Right of Access Case appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information