HIPAA Breach News

University of Miami Health and Mott Community College Data Compromised in Ransomware Attacks

Posted by HIPAA Journal

The protected health information of patients of University of Miami Health has been obtained by unauthorized individuals in a ransomware attack on the file transfer service provider Accellion.

University of Miami Health used Accellion’s file transfer technology for sharing files that were too large to send via email. The University of Miami said the Accellion solution was only used by a small number of individuals at the university and prompt action was taken to contain the incident. The university has since stopped using Accellion’s file transfer services.

The investigation into the attack is ongoing and the analysis of the files that were obtained or potentially compromised in the attack has not yet been completed, so it is not yet known exactly how many individuals have been affected.

The University of Miami does not believe any of its systems were compromised in the attack with the breach believed to be limited to files sent or received through Accellion’s file transfer solution.

The gang behind the attack demanded a $10 million ransom for the keys to decrypt data and avoid having data published online or sold on dark web marketplaces. Some of the data stolen in the attack has already been posted on the gang’s leak site, including some data relating to patients of University of Miami Health.

The University of Miami was one of several Accellion customers to be affected by the breach, including the University of Colorado, Kroger, Centene, Arizona Complete Health, and Shell Oil.

1,612 Dental Plan Members Affected by Mott Community College Ransomware Attack

Mott Community College has notified 1,612 individuals that files containing their protected health information were obtained by unauthorized individuals prior to the use of ransomware on its systems.

When the attack was discovered, a third-party cybersecurity firm was engaged to assist with the investigation to determine the extent of the security breach. The analysis revealed attackers gained access to its network on November 27, 2020 and access remained possible until January 9, 2021.

On January 23, 2021 Mott Community College discovered that sensitive data had been exfiltrated by the attackers prior to the use of ransomware, and that some of the files related to individuals covered under its self-insured dental plan. A review of those files confirmed they included names, dates of birth, and dental plan enrollment and claims information for individuals covered by the dental plan in 2014-2015, and 2019.

Notification letters were sent to all individuals affected starting on March 24, 2021. While data exfiltration was confirmed, it does not mean the contents of the files were viewed, misused, or further disclosed. Mott Community College has now implemented additional safeguards and technical security measures to prevent any further attacks, including multifactor authentication for all network and email access and additional password requirements.

The post University of Miami Health and Mott Community College Data Compromised in Ransomware Attacks appeared first on HIPAA Journal.

New Jersey Plastic Surgery Practice Pays $30K to OCR Settle HIPAA Right of Access Case

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced a settlement has been reached with Ridgewood, NJ-based Village Plastic Surgery to resolve potential violations of the HIPAA Right of Access. Under the terms of the settlement, Village Plastic Surgery will pay a $30,000 penalty and will adopt a corrective action plan that requires policies and procedures to be implemented related to access to protected health information (PHI). OCR will also monitor Village Plastic Surgery for compliance for 2 years.

OCR launched an investigation into Village Plastic Surgery following receipt of a complaint from a patient of the practice on September 7, 2019. The patient had requested a copy of the medical records held by the plastic surgery practice but had not been provided with those records within the maximum time allowed by the HIPAA Privacy Rule. OCR intervened and, during the course of its investigation, Village Plastic Surgery did not provide the patient with the requested records.

OCR investigators determined that the delay in providing the records, which exceeded the 30 allowed days for acting on patient requests for their medical records, was in violation of the HIPAA Right of Access, as detailed in 45 C.F.R. § 164.524. As a result of OCR’s intervention, the patient did receive a copy of the requested records. The case was settled by Village Plastic Surgery with no admission of liability.

“OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner,” said Acting OCR Director Robinsue Frohboese. “Covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.”

This is the 18th financial penalty to be imposed by OCR to resolve violations of the HIPAA Right of Access under its Right of Access enforcement initiative that was launched in late 2019. This is the 6th HIPAA penalty to be imposed in 2021, and the 5th to resolve a HIPAA Right of Access violation.

The post New Jersey Plastic Surgery Practice Pays $30K to OCR Settle HIPAA Right of Access Case appeared first on HIPAA Journal.

SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach

Posted by HIPAA Journal

SalusCare, a provider of behavioral healthcare services in Southwest Florida, experienced a cyberattack in March that saw patient and employee data exfiltrated from its systems. The exact method used to gain access to its servers has not been confirmed, although the cyberattack is believed to have started with a phishing email that was used to deliver malware. The malware was used to exfiltrated its entire database to an Amazon AWS storage account.

The attack occurred on March 16, 2021 and the investigation into the breach established that the attacker, an individual who appeared to be based in Ukraine, gained access to its Microsoft 365 environment, downloaded sensitive data, and uploaded the stolen data to two Amazon S3 storage buckets.

Amazon was notified about the illegal activity and it suspended access to the S3 buckets to stop the attacker accessing the stolen data.  SalusCare requested access to the audit logs, which it requires to continue to investigate the breach and determine exactly what data was stolen. SalusCare also wants to make sure that the suspension is permanent and will not be lifted by Amazon.

The S3 buckets may have been used to store SalusCare data, but Amazon will not voluntarily provide copies of audit logs or a copy of the data stored in the S3 buckets as they do not belong to SalusCare. The two S3 buckets are understood to include almost 86,000 files that were stolen in the attack.

To get access to the audit logs and data, SalusCare filed a lawsuit in federal court seeking injunctive relief under Florida’s Computer Abuse and Recovery Act. SalusCare seeks a ruling that will compel Amazon to provide the audit logs and a copy of the content of the two S3 buckets. SalusCare also wants the courts to order Amazon to make the suspension of access permanent to prevent the attacker from accessing the data or copying the stolen information to another online storage service. SalusCare has also sued the individual behind the attacks – John Doe.

The lawsuit argued that the data stolen in the attack and hosted by Amazon is extremely sensitive and could be used to commit identity theft, could be sold by the hacker on darknet marketplaces, or leaked to the public.

“The files contain extremely personal and sensitive records of patients’ psychiatric and addiction counseling and treatment,” explained SalusCare in its petition to the U.S. District Court in Fort Myers. “The files also contain sensitive financial information such as social security numbers and credit card numbers of SalusCare patients and employees.”

The lawsuit requests that after Amazon provides a copy of the data and audit logs to SalusCare the S3 buckets should be purged to prevent any further unauthorized access.

Amazon did not oppose any injunctive relief sought by SalusCare and The News-Press reports that a District Court federal judge granted the requests on March 25, 2021.

The post SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach appeared first on HIPAA Journal.

Cancer Treatment Centers of America Announces 105,000-Record Data Breach

Posted by HIPAA Journal

Cancer Treatment Centers of America is alerting 104,808 patients of its Midwestern Regional Medical Center that some of their protected health information was contained in an email account that was accessed by an unauthorized individual.

Suspicious activity was identified in a CTCA account holder’s account on January 18, 2021. The account was immediately secured to prevent further unauthorized access and a third-party forensics firm was engaged to assist with the investigation and determine the nature and scope of the breach.

The investigation revealed the email account was accessed on January 12, 2021 and access remained possible until January 18 when a password reset was performed. It was not possible to confirm which emails, if any, were accessed, nor was it possible to rule out data theft.

A review of the compromised account revealed it contained patient names, health insurance information, medical record numbers, CTCA account numbers, and limited medical information. No financial information or Social Security numbers were compromised.

CTCA has implemented additional security measures to prevent further breaches and additional security enhancements are being evaluated. Notifications were sent to affected individuals on March 18, 2021.

Vendor Breach Affects More than 9,000 Insulet Patients

The Acton, MA-based medical device company Insulet Corporation is alerting 9,050 patients about a data breach at an online customer training vendor – Cornerstone On-Demand.

Insulet was notified around January 19, 2020 that an unauthorized individual had gained access to Cornerstone’s systems on January 13, 2021 and potentially downloaded data that included the protected health information of Insulet patients.

Data stored on the compromised system included names, email addresses, Insulet customer training records, and online course information. When Cornerstone identified the breach, its systems were immediately secured to prevent further unauthorized access. Additional security measures have since been implemented to prevent further attacks. Insulet said it has begun transitioning to a new online training vendor and will order Cornerstone to delete all its data once the transition has been completed.

The post Cancer Treatment Centers of America Announces 105,000-Record Data Breach appeared first on HIPAA Journal.

Misconfiguration Resulted in Exposure of the PHI of 65,000 Mobile Anesthesiologists Patients

Posted by HIPAA Journal

Mobile Anesthesiologists has recently discovered a limited amount of patients’ protected health information (PHI) has been exposed due to a technical misconfiguration. The error was determined to have occurred prior to December 14, 2020, and made PHI such as names, health insurance information, date of service, medical procedure, and dates of birth publicly accessible.

An investigation into the error was concluded on January 28, 2021 and confirmed that the PHI of 65,403 individuals had been exposed. While the PHI could potentially have been accessed by unauthorized individuals, no evidence of unauthorized data access or PHI misuse was discovered. Affected individuals were notified by mail starting March 10, 2021.

Haven Behavioral Healthcare Announces Breach of Systems Containing Patient Data

Nashville, TN-based Haven Behavioral Healthcare has announced that unauthorized individuals gained access to parts of its network that contained the protected health information of patients. The breach was detected on or around September 27, 2020. An investigation was immediately launched, and third-party cybersecurity experts were engaged to determine the nature and scope of the breach.

The investigation revealed its systems were subjected to unauthorized access between September 24 and September 27, 2020 and, on January 27, 2021, it was determined files on those systems contained patient information. A review of the files was completed on March 11, 2021 and notification letters started to be sent on March 23, 2021.

While the files were accessible, the investigation was unable to determine if the files were accessed. It is currently unclear which hospitals and how many patients have been affected.

Email Error Results in Unauthorized Disclosure of Heart of Texas Community Health Center Patients

Heart of Texas Community Health Center has discovered the protected health information of a limited number of patients has been exposed.

An email containing patient data was sent to individuals authorized to view the information, but the email was sent to an account that was outside the protection of the firewall so could potentially have been intercepted as the email was not encrypted.

The email only included an email address and indicated the email account holder was overdue a pap smear. No names or other information were included in the email. The email only related to female patients aged 21 to 65 years of age who were seen at a Heart of Texas Community Health Center site between September and December 2020.

No reports have been received to indicate the email was intercepted or otherwise accessed by unauthorized individuals.

The post Misconfiguration Resulted in Exposure of the PHI of 65,000 Mobile Anesthesiologists Patients appeared first on HIPAA Journal.

Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000

Posted by HIPAA Journal

Arbour Hospital, a mental health clinic in Boston, MA, has settled a HIPAA Right of Action investigation with the HHS’ Office for Civil Rights (OCR) and has agreed to pay a $65,000 penalty.

OCR was informed about a potential violation of the HIPAA Right of Access on July 5, 2019. A patient of Arbour Hospital alleged he had requested a copy of his medical records from the hospital on May 7, 2019 but had not been provided with those records within two months.

When a healthcare provider receives a request from a patient who wishes to exercise their HIPAA Privacy Rule right to obtain a copy of their healthcare records, a copy of those records must be provided as soon as possible and no later than 30 days after the request is received. A 30-day extension is possible in cases where records are stored offsite or are otherwise not easily accessible. In such cases, the patient requesting the records must be informed about the extension in writing within 30 days and be provided with the reason for the delay.

OCR contacted Arbour Hospital and provided technical assistance on the HIPAA Right of Access on July 22, 2019 and the complaint was closed. The patient then submitted a second complaint to OCR on July 28, 2019 when his medical records had still not been provided. The records were eventually provided to the patient on November 1, 2019, almost 6 months after the written request was submitted and more than 3 months after OCR provided technical assistance on the HIPAA Right of Access.

OCR determined the failure to respond to a written, signed medical record request from a patient in a timely manner was in violation of the HIPAA Right of Access – 45 C.F.R. § 164.524(b). In addition to the financial penalty, Arbour Hospital is required to adopt a corrective action plan that involves implementing policies and procedures for patient record access and providing training to the workforce. Arbour Hospital will also be monitored by OCR for compliance for 1 year.

“Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care,” said Acting OCR Director Robinsue Frohboese.

The HIPAA Right of Access enforcement initiative was launched in late 2019 to ensure patients are provided with timely access to their medical records at a reasonable cost. This is the sixteenth financial penalty to be paid to OCR to resolve HIPAA Right of Access violations under this enforcement initiative and the 4th HIPAA Right of Access settlement to be announced in 2021.

The post Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000 appeared first on HIPAA Journal.

Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access

Posted by HIPAA Journal

The former CEO of Novus and Optimum Health Services, which operates two hospices in Texas, has pleaded guilty in a fraud case that saw Medicare and Medicaid defrauded out of tens of millions of dollars through the submission of falsified health care claims.

Prerak Shah, Acting U.S. Attorney for the Northern District of Texas, recently announced that Bradley Harris, 39, pleaded guilty to conspiracy to commit healthcare fraud and healthcare fraud and is now awaiting sentencing.

In addition to defrauding federal healthcare programs out of tens of millions of dollars, the actions of Harris resulted in vulnerable patients being denied the medical oversight they deserved, saw prescriptions for pain medication written without physician input for his financial benefit, and allowed terminally ill patients to go unexamined.

Harris admitted billing Medicare and Medicaid for hospice services between 2012 and 2016 that were not provided, not directed by medical professional, or were provided to individuals who were not eligible for hospice services. Harris also admitted to using blank, pre-signed prescriptions for controlled substances and providing the drugs without any involvement from physicians.

Two coconspirators – Dr. Mark Gibbs and Dr. Laila Hirjee – were paid $150 for each false order they signed and would regularly certify that hospice patients had terminal illnesses with a life expectancy of 6 months or less, without having conducted any examinations. Dr. Gibbs, Dr. Hirjee, and a third physician, Dr. Charles Leach, provided blank prescriptions for controlled substances which allowed Harris to prescribe schedule II-controlled substances to Medicare and Medicaid beneficiaries in the hospice without guidance from a medical professional.

Harris also violated the Health Insurance Portability and Accountability Act (HIPAA) Rules when he accessed the medical records of patients to identify individuals who could be contacted and offered Novus hospice services. In the summer of 2014, Harris negotiated an agreement with Express Medical which allowed him to access the medical records of potential patients in return for using the company for lab services and home health visits. Previous patients of Express Medical were then contacted by Harris’s wife and other hospice staff to recruit them, regardless of whether they were actually eligible for hospice services. This allowed Harris to recruit new hospice patients to avoid exceeding Medicare’s aggregate hospice cap.

The HHS’ Centers for Medicare and Medicaid Services received multiple reports of potential fraud and suspended Novus; however, Harris then transferred patients from Novus to a new hospice company, which then transferred reimbursements for hospice services back to Novus. Dr. Gibbs was registered as the medical director of the new hospice company.

Harris is scheduled to be sentenced on August 3, 2021 and faces up to 14 years in jail. The trial of Dr. Gibbs, Dr. Hirjee and two other coconspirators is scheduled for April 5, 2021. 10 codefendants have already pleaded guilty and are awaiting sentencing for their roles in the scam. Dr. Charles Leach previously pleaded guilty to one count of conspiracy to commit healthcare fraud in 2018, for his role in the $60 million fraud case. According to court documents, the blank prescriptions Dr. Leach signed were used to obtain controlled substances, high doses of which were then administered to patients by nurses to hasten their deaths.

“The Justice Department cannot allow unscrupulous business people to interfere with the practice of medicine. We are determined to root out healthcare fraud,” said Acting U.S. Attorney Prerak Shah. “We will continue to work tirelessly with our state and federal partners to hold those who commit health care fraud accountable and seek justice for patients that are harmed in furtherance of fraud schemes,” said FBI Dallas Special Agent in Charge Matthew DeSarno.

The post Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access appeared first on HIPAA Journal.

California Department of State Hospitals Discovers Unauthorized Data Copying by IT Employee

Posted by HIPAA Journal

The Department of State Hospitals (DSH) in California has discovered an employee accessed the protected health information (PHI) of 1,415 current/former patients and 617 employees without authorization.

The individual had an Information Technology role and had access to data servers containing sensitive patient and employee information in order to complete work duties. The improper access was discovered by DSH on February 25, 2021 during a routine annual review of access to data folders.

An investigation was immediately launched which revealed the employee had been accessing data without authorization for around 10 months. Files containing names, COVID-19 test results, and other health information necessary for tracking COVID-19 were copied directly from the server. The investigation into the privacy breach is ongoing and the employee has been placed on administrative leave pending completion of the investigation. So far, the investigation has not uncovered any evidence to suggest the copied data has been misused or disclosed to any other individual.

DSH explained that safeguards were in place to identify unauthorized PHI access, but since the actions of the employee were identical to legitimate access, the unauthorized access was not identified when it happened and was only discovered during the annual review.

“It appears that the employee used the access they were provided in order to perform their normal job duties to go directly into the server, copy files containing patient, former patient, and employee names, COVID-19 test results, and related health information without any apparent connection to their job duties, indicating a high probability of unauthorized access,” explained DSH in its data breach FAQs. It is currently unclear whether this was an intentional breach.

Steps have since been taken to prevent similar incidents in the future, including changing policies and procedures, limiting access to servers containing PHI, and improving logging and reviews of data activity. Automated detection of files containing PHI being copied to non-standard locations has also been improved.

Mendelson Kornblum Orthopedic and Spine Specialists Discovers Vulnerable Server Containing 28,658 Patients’ PHI

Mendelson Kornblum Orthopedic and Spine Specialists has recently announced that the protected health information of 28,658 patients has been exposed and may have been accessed by unauthorized individuals.

On January 5, 2021, the practice discovered one of its servers was “vulnerable to viewing by unauthorized third parties.” The server contained information such as patient names, medical record numbers, dates of birth, sex of patients, and information relating to medical images, such as the date/time the image was taken, image number, and the name of the body part that was imaged.

No medical images were accessible, nor highly sensitive information such as Social Security numbers, health insurance information, diagnosis/treatment information, or financial information.

While the server was vulnerable to third party access, the investigation did not uncover evidence of any misuse of patient data. Steps have since been taken to prevent similar incidents in the future.

Eyemart Express Alerts Patients to Email Account Breach

Farmers Branch, TX-based Eyemart Express has discovered an unauthorized individual has accessed the email accounts of certain employees and potentially viewed or obtained patients’ protected health information. The breach was discovered on December 11, 2020 and steps were immediately taken to prevent further unauthorized access.

The investigation confirmed the breach started on August 21, 2020 and was limited to email accounts. No internal systems were affected. A comprehensive review of the affected email accounts revealed they contained information such as names, e-mail addresses, and the subject lines of email communications between Eyemart Express and the affected customers. Only a small percentage of its patients have been affected and they have now been notified.

The post California Department of State Hospitals Discovers Unauthorized Data Copying by IT Employee appeared first on HIPAA Journal.

February 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

The was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents.

Healthcare Data Breaches Past 12 Months

After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches.

Healthcare Records Breached Past 12 Months

Largest Healthcare Data Breaches Reported in February 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware
BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing
RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware
Gore Medical Management, LLC GA Healthcare Provider 79,100 Hacking/IT Incident Hacking incident
Summit Behavioral Healthcare TN Healthcare Provider 70,822 Unauthorized Access/Disclosure Phishing
Humana Inc KY Health Plan 62,950 Unauthorized Access/Disclosure Subcontractor shared PHI without consent
Nevada Orthopedic & Spine Center NV Healthcare Provider 50,000 Hacking/IT Incident Unconfirmed
Fisher Titus Health, Inc. OH Health Plan 49,636 Hacking/IT Incident Phishing
Covenant HealthCare MI Healthcare Provider 47,178 Hacking/IT Incident Phishing
UPMC PA Healthcare Provider 36,086 Hacking/IT Incident Phishing attack on BA
Grand River Medical Group IA Healthcare Provider 34,000 Hacking/IT Incident Phishing
AllyAlign Health, Inc. VA Health Plan 33,932 Hacking/IT Incident Ransomware
Harvard Eye Associates CA Business Associate 29,982 Hacking/IT Incident Ransomware attack on BA
Texas Spine Consultants, LLP TX Healthcare Provider 25,728 Unauthorized Access/Disclosure Unconfirmed
UPMC Health Plan PA Health Plan 19,000 Hacking/IT Incident Phishing attack on BA

Causes of February 2021 Healthcare Data Breaches

Three breaches of more than 100,000 record were reported in February. The largest healthcare data breach of the month was reported by Kroger, an Ohio-based chain of supermarkets and pharmacies. The breach was due to a CLOP ransomware attack on a vendor – Accellion – that resulted in the theft of the protected health information of 368,100 of its customers. Kroger was one of several HIPAA-covered entities to be affected by the breach.

Elara Caring, one of the nation’s largest providers of home-based care, announced that several employee email accounts containing protected health information had been accessed by unauthorized individuals as a result of responses to phishing emails. Cochise Eye and Laser was also the victim of a ransomware attack in which the protected health information of 100,000 individuals was potentially stolen.

February 2021 Healthcare Data Breaches - Causes

Phishing attacks were the most common cause of data breaches in February, with network server incidents in close second. These mostly involved hacking and the deployment of malware or ransomware. Hacking incidents accounted for 71.1% of the month’s breaches and 85.7% of all records breached in the month. The average size of a hacking breach was 30,239 records and the median breach size was 8,849 records.

There were 10 unauthorized access/disclosure incidents reported in February involving 172,799 records. The average breach size was 17,280 records and the median breach size was 2,497 records. There were 2 theft incidents and 1 reported loss incident reported involving a total of 3,773 records, all three of which involved paper records.

February 2021 Healthcare Data Breaches - Location of breached PHI

Entities Reporting Healthcare Data Breaches in February 2021

Healthcare providers were the worst affected covered entity type in February, with 35 breaches reported. There were 5 breaches reported by health plans and 5 reported by business associates of HIPAA-covered entities. A further 5 breaches were reported by the covered entity but had some business associate involvement.

Entities affected by February 2021 healthcare data breaches

Healthcare Data Breaches by State

Healthcare data breaches of 500 or more records were reported in 20 states in February 2021. The worst affected states were California and Texas with six breaches reported in each state. 5 entities in Pennsylvania reported breaches, there were 4 breaches reported in Florida and Michigan, 2 in each of North Carolina, Nevada, Ohio, Tennessee, and Virginia, and 1 in each of Arizona, Colorado, Georgia, Iowa, Kentucky, Louisiana, Minnesota, North Dakota, Utah, and Wyoming.

HIPAA Enforcement Activity in February 2021

In February, the HHS’ Office for Civil Rights announced two settlements had been reached with HIPAA-covered entities to resolve potential violations of the HIPAA Rules. Both enforcement actions were in response to complaints from patients who had not been provided with timely access to their medical records.

OCR launched a new enforcement initiative in late 2019 targeting healthcare providers who were not complying with the HIPAA Right of Access provision of the HIPAA Privacy Rule. Three Right of Access enforcement actions have resulted in settlements so far in 2021, and the latest two bringing the total number of settlements under this enforcement initiative to 16.

Sharpe Healthcare settled its case with OCR and paid a $70,000 penalty and Renown Health settled its case for $75,000.

The post February 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.