HIPAA Breach News

Singing River Health System Confirms Ransomware Attack Affected 253,000 Patients

Posted by Steve Alder

Singing River Health System has confirmed that the PHI of 253,000 patients was compromised in an August 2023 ransomware attack.  Data breaches have also been reported by Highlands Oncology Group, Fincantieri Marine Group, Senior Scripts, and Family Healthcare.

Singing River Health System

Singing River Health System in Mississippi experienced a ransomware attack in August 2023 that took its IT systems out of action for several days, including its electronic medical record system. Without access to patient data and essential IT systems, operations were disrupted, although care continued to be provided to patients throughout. The Rhysida ransomware group claimed responsibility for the attack.

The attack was detected on August 19, 2023, and the forensic investigation confirmed there had been unauthorized network access between August 16 and August 18, 2023. When the initial announcement about the attack was made, it was unclear if any patient data had been compromised and as the deadline for reporting the breach to the HHS’ Office for Civil Rights approached it was still unclear exactly how many patients had been affected, so the breach was reported with an interim figure of 501 individuals.

On September 13, 2023, Singing River Health System confirmed that data had been exfiltrated from its systems, and an update was provided on October 18, 2023; although the extent of the breach had still not been confirmed. On December 18, 2023, Singing River Health System confirmed that the protected health information of 252,890 patients had been compromised. The data involved included names, dates of birth, addresses, Social Security numbers, medical information, and health information.

Notification letters were mailed to the affected individuals on January 12, 2023, and the affected patients have been offered complimentary credit monitoring and identity theft protection services.

Highlands Oncology Group

Highlands Oncology Group in Arkansas experienced a ransomware attack in September 2023. The attackers gained access to parts of its network that contained the protected health information of 55,297 patients. The attack was detected on September 26, 2023, and immediate action was taken to isolate its network to prevent further unauthorized access. The forensic investigation confirmed the attackers had access to its network between September 25, 2023, and September 26, 2023, and that files may have been acquired before ransomware was used to encrypt files.

The review confirmed on November 27, 2023, that the following types of information may have been accessed or acquired in the attack: name, date of birth, Social Security number, driver’s license/state ID number, passport number, military ID number, financial account number, credit/debit card number with and without expiration date and security code, health insurance information, and clinical information, such as diagnosis/conditions, lab results, and prescription information.

While no cases of identity theft or fraud have been tied to the incident, as a precaution, individuals whose Social Security numbers and/or driver’s license/state ID numbers were involved have been offered complimentary identity theft protection services.

Fincantieri Marine Group

Fincantieri Marine Group, LLC, the U.S. arm of the Italian shipbuilder, has confirmed that the protected health information of 11,535 members of its group health plan had their data compromised in an April 2023 ransomware attack. Fincantieri said the attack was detected on April 12, 2023, and the outage caused significant production disruption, as it affected servers that fed information to machines used for welding, cutting, and other manufacturing processes, which were taken out of action for several days.

Fincantieri announced the attack in April 2023; however, the extent of the attack was unclear at the time. It was since confirmed that the attackers had access to its network between April 6, 2023, and April 12, 2023, and during that period, files were exfiltrated from its network. Fincantieri’s review of the files on the affected part of its network confirmed on November 6, 2023, that the data of 16,769 individuals had been exposed and potentially stolen, including 11,535 members of its group health plan. The affected individuals were notified about the incident on January 5, 2023, and 2 years of complimentary credit monitoring services have been offered.

Senior Scripts

Midwest Long Term Care Services, which does business as Senior Scripts, recently confirmed that the protected health information of 10,566 patients was compromised in a security incident that disrupted some of its IT systems. The cyberattack was detected and blocked on October 20, 2023, and the forensic investigation confirmed that the attackers first accessed its system on October 8, 2023. Files containing patient data were potentially removed from its network that included information such as names, contact information, insurance information, dates of birth, prescription information, and Social Security numbers. Network monitoring capabilities have been enhanced and security measures will continue to be reviewed and improved to prevent similar incidents in the future.

Family Healthcare

Family Healthcare in North Dakota has recently announced that it has been affected by a data breach at its business associate Brady Martz & Associates. Brady Martz & Associates is a North Dakota-based provider of tax-related services, audit and financial guidance, and bookkeeping and payroll assistance.

Brady Martz & Associates was provided with the data of Family Healthcare employees and certain patients in order to complete its contracted duties, which included auditing patient billing documents. Brady Martz & Associates promptly detected a security breach in November 2022 and engaged cybersecurity experts to investigate to determine the extent of the breach, which was discovered to have affected more than 53,000 individuals. The breach was announced by Brady Martz & Associates on September 8, 2023.

According to Brady Martz & Associates, the information exposed and potentially compromised in the attack included patient and/or employee names, dates of birth, ages, phone numbers, financial account information, health insurance information, patient account numbers, Social Security numbers, and information regarding care received at Family HealthCare facilities. It is unclear how many Family Healthcare patients were affected and why it took until January 11, 2024, for Family Healthcare to publicly announce the breach.

The post Singing River Health System Confirms Ransomware Attack Affected 253,000 Patients appeared first on HIPAA Journal.

Electrostim Medical Services Data Breach Impacts 543,000 Patients

Posted by Steve Alder

The Florida medical device company Electrostim Medical Services, Inc., which does business as EMSI, has recently confirmed that it suffered a cyberattack in May 2023 which involved access to parts of the network containing patient data. The Electrostim Medical Services data breach has recently been reported to the HHS’ Office for Civil Rights as affecting 542,990 patients.

Suspicious activity was detected within its network on May 13, 2023, and after securing its systems, third-party cybersecurity specialists were engaged to assess the nature and scope of the incident. The investigation confirmed that unauthorized individuals had access to its network for around two weeks between April 27, 2023, and May 13, 2023. While data theft was not confirmed, the unauthorized individuals had access to parts of the network containing patients’ protected health information and that information may have been copied. Electrostim Medical Services said it has not learned of any instances of attempted or actual misuse of patient data as a result of the security incident.

The breach notifications explained that the delay in notifications was due to an extensive review of its network to determine the individuals and data types involved, and a review of internal records to identify contact information to allow notification letters to be sent. The types of information involved varied from individual to individual and may have included the following: name, address, email address, phone number(s), diagnosis, insurance information, subscriber number, and product(s) prescribed and billed.

Electrostim Medical Services said notification letters were mailed in late December and steps have been taken to improve network security.

The post Electrostim Medical Services Data Breach Impacts 543,000 Patients appeared first on HIPAA Journal.

ConsensioHealth Ransomware Attack Affects 61,000 Patients

Posted by Steve Alder

The Wisconsin-based medical billing service, ConsensioHealth, has recently notified 60,871 individuals about a July 2023 ransomware attack. The attack was discovered on July 3, 2023, when staff were prevented from accessing files on the network. Steps were immediately taken to prevent further unauthorized access and third-party cybersecurity experts were engaged to assist with the investigation and to help determine whether patient data was accessed or copied from its systems. The investigation confirmed that data had been stolen, and on November 7, 2023, it was confirmed that some of those files contained the data of patients of the following covered entities:

  • Emergency Medicine Specialists, S.C.
  • Ascension Wisconsin
  • Wisconsin Urgent Care
  • Kenosha Urgicare
  • Fox Valley Emergency Medicine
  • Dr. Linda Jingle
  • Woundcare Innovations of Golf Land

The impacted data varied from individual to individual and may have included the following data types: Name, address, date of birth, driver’s license or other state identification number, Social Security number, account access credentials, health insurance information, medical treatment and diagnosis information, medical treatment cost information, patient account number, Medicare or Medicaid number, healthcare provider information, and prescription information.

ConsensioHealth said its information security practices have been reviewed and updated and additional security measures have been implemented.

Southeastern Orthopaedic Specialists Data Incident Affects 35,500 Patients

Southeastern Orthopaedic Specialists in Greensboro, NC, have identified unauthorized access to its network and the potential theft of the protected health information of 35,533 patients.

The Southeastern Orthopaedic Specialists substitute breach notice is devoid of any meaningful information about the data incident, which is described as “a cybersecurity incident that impacted its IT systems.” The breach notice does not state when the breach occurred, when it was detected, for how long hackers had access to the network, whether there was access to patient data, if data was stolen, what types of data were exposed or stolen, or the nature of the attack.

The December 19, 2023, notice only states that no evidence of fraud or identity theft was identified, which may lead the affected individuals to believe that there is little risk; however, there is insufficient information in the notice to allow the affected individuals to gauge the level of risk they face. The breach was sufficiently severe to warrant providing the affected individuals with complimentary credit monitoring and identity theft protection services, and it is strongly advisable to take advantage of those services.

Data of Healthcare Clients Exposed in Burr & Forman Cyberattack

The Birmingham, Alabama Am Law 200 firm, Burr & Forman, has recently confirmed that it fell victim to a cyberattack in October 2023 which resulted in unauthorized access to client data, including two clients that are covered by HIPAA. Suspicious activity was detected on one of its laptops in October and the laptop was immediately isolated to prevent further access.

According to the law firm Constangy, Brooks, Smith & Prophete, which is representing Burr & Forman, the cyberattack was detected promptly and was rapidly contained but it was not possible to prevent unauthorized access to documents on its systems. On November 10, 2023, it was confirmed that there had been access to the data of its client Oceans Healthcare, and one other unnamed HIPAA-covered entity. In total the personal and protected health information of 19,893 individuals was exposed.

Burr & Forman was provided with personal information in connection with the legal services provided to its healthcare clients and that information included names, Social Security numbers, medical coding information, dates of service, and insurance information. In its substitute breach notification, Burr & Forman confirmed it is notifying the individuals affected and has provided resources to assist them, and has enhanced network security to prevent similar breaches in the future.

Sharp Health Plan Notifies Members About MOVEit Hack and Mismailing Incident

8,200 Sharp Health Plan members have recently been notified that some of their protected health information was compromised in a hacking incident at one of its business associates, Delta Dental. Delta Dental used the MOVEit Transfer file transfer solution, which was hacked by the Clop hacking group and data were exfiltrated between May 27 and May 30, 2023. Delta Dental’s investigation indicated in July 2023 that Sharp Health Plan member information may have been involved, and that was confirmed on November 17, 2023; however, it took until late December to determine which members had been affected. The stolen data was limited to members’ first and last names, Social Security numbers, dental provider names, health insurance, and treatment cost information. The affected individuals are being notified directly by Delta Dental.

Sharp Health Plan has also notified certain members about a mismailing incident that occurred on December 26, 2023. A system error in the software of the health plan’s mailing vendor resulted in members’ names being omitted from the envelopes. Without a name on the letters, other household members may have opened the letters. The letters listed the intended recipient’s name, address, behavioral health provider’s name, and that confirmed that the member visited the provider in 2023.

Rebekah Children’s Services Reports September 2023 Cyberattack

Rebekah Children’s Services in Gilroy, CA, identified suspicious activity on its network on September 5, 2023, and engaged a third-party forensics firm to investigate to determine the nature of the attack. The forensic investigation confirmed that hackers had gained access to parts of the network where protected health information was stored, and the file review confirmed that names, addresses, Social Security numbers, dates of birth, health information, health insurance information, treatment information, medications, and driver’s license numbers had potentially been obtained. Steps have been taken to improve security and the 2,805 affected individuals have been notified and offered complimentary access to single bureau credit monitoring services.

The post ConsensioHealth Ransomware Attack Affects 61,000 Patients appeared first on HIPAA Journal.

Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit

Posted by Steve Alder

Novant Health has agreed to settle a class action lawsuit that stemmed from its use of tracking pixels on its MyChart patient portal. The pixel code on the patient portal collected the personally identifiable information of users with the goals of “improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care,” however the information collected was also transferred to third-party technology companies that were not authorized to receive the data.

The North Carolina Health System was the first healthcare provider to report a pixel-related HIPAA violation to the HHS Office for Civil Rights (OCR). In the summer of 2022, Novant Health said the protected health information of up to 1,362,296 individuals had been disclosed to third parties such as Meta (Facebook) between May 1, 2020, to Aug. 12, 2022. The HIPAA breach was reported several months before OCR issued guidance on HIPAA and tracking pixels confirming that pixel-related disclosures of protected health information to third parties violated HIPAA. Novant Health was one of many health systems to use the code on its patient portal. According to one study, 99% of hospitals in the United States used pixels or other tracking technologies on their websites, apps, or patient portals that collected visitor information and transferred that data to third parties.

The lawsuit against Novant Health was filed on behalf of 10 Novant Health patients and similarly situated individuals who used the patient portal while the Meta Pixel code was present and alleged invasion of privacy, breach of contract, and violations of the Health Insurance Portability and Accountability Act. Novant Health maintains there was no wrongdoing and the decision to settle the lawsuit was taken to put an end to the litigation and avoid further legal costs and the uncertainty of trial.

“Novant Health takes privacy and the care of personal information very seriously and values patient trust to keep patients’ medical information private. Novant Health will continue to be as transparent as possible and provide information to patients,” said a spokesperson for Novant Health regarding the proposed settlement. “The proposed settlement is not admission of wrongdoing, and the court did not find any wrongdoing on the part of Novant Health.”

Under the terms of the settlement, class members – individuals who used the MyChart portal between May 1, 2020, to Aug. 12, 2022 – will be eligible to submit claims for a share of the $6.6 million settlement fund. Claims will be paid pro rata once legal costs, expenses, and attorneys’ fees have been paid. Novant Health is one of several healthcare providers to have been sued over the use of pixels and other tracking technologies, including Advocate Aurora Health, which chose to settle its lawsuit for $12.225 million.

The post Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit appeared first on HIPAA Journal.

LockBit Ransomware Group Behind Capital Health Cyberattack

Posted by Steve Alder

Capital Health Systems in New Jersey has recently announced that it fell victim to a cyberattack in late November that temporarily disrupted its IT systems. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell – and an outpatient facility in Hamilton Township. While the attack caused a network outage, care continued to be provided to patients at its hospitals and their emergency rooms continued to receive patients.

Capital Health has confirmed that all systems have now been restored and all services are available at Capital Health facilities; however, the investigation into the cyberattack is ongoing and it has yet to be determined to what extent patient and employee data was involved. Capital Health said law enforcement was immediately notified about the attack and third-party forensic and information technology experts were engaged to assist with the investigation and breach response.

Capital Health has yet to confirm the extent of any data breach but the hacking group behind the attack claims to have stolen more than 10 million files, including 7 TB of medical confidentiality data, and threatened to publish the stolen data if the ransom is not paid. The LockBit ransomware group usually engages in double extortion tactics, where sensitive data are stolen and files are encrypted using ransomware. A ransom demand is issued, and payment is required to obtain the keys to decrypt files and to prevent the publication of the stolen data. In this attack, the group said it deliberately did not encrypt files and only stole patient data as it was not its intention to cause any disruption to patient care. While ransomware was not used, these attacks can still cause network outages as part of incident response processes and therefore still have the potential to disrupt patient care.

Capital Health was given a deadline of January 9, 2024, to prevent the release of the stolen data. While Capital Health was added to the LockBit 3.0 data leak site, the listing has since been removed. Further information on the extent of the data breach will be released as the investigation progresses and notification letters will be issued if data theft is confirmed.

Lawsuit Filed Over Capital Health Cyberattack

The extent of the data breach has yet to be confirmed and notification letters have not yet been mailed by Capital Health but a lawsuit has already been filed against Capital Health over an alleged data breach. The lawsuit was filed on behalf of Capital Health patient Bruce Graycar and similarly situated individuals by attorney Ken Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert.

The lawsuit alleges the plaintiff has suffered injuries as a result of the attack and that the failure of Capital Health to issue prompt notifications to the affected individuals has exacerbated the injuries, as the plaintiff and class were unaware that it was necessary to take steps to protect themselves against misuse of their private healthcare information. The lawsuit alleges injuries have been suffered including damage to and the diminution in the value of private information, invasion of privacy, and a present, imminent, and impending injury due to an increased risk of identity theft and fraud.

The post LockBit Ransomware Group Behind Capital Health Cyberattack appeared first on HIPAA Journal.

ReproSource Fertility Diagnostics Proposes $1.25 Million Class Action Data Breach Settlement

Posted by Steve Alder

ReproSource Fertility Diagnostics has proposed a settlement to resolve litigation stemming from a 2021 ransomware attack that potentially resulted in the theft of the sensitive health data of up to 350,000 patients. The Marlborough, MA-based fertility testing laboratory, which is owned by Quest Diagnostics, had its network breached on August 8, 2021. The intrusion was detected on August 10 when ransomware was deployed. The forensic investigation confirmed that the parts of the network that the threat actors could access included files that contained sensitive health information.

The data exposed included names, addresses, phone numbers, email addresses, dates of birth, billing, and health information, such as CPT codes, diagnosis codes, test requisitions, and results, test reports and/or medical history information, health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians, and for a limited number of individuals, Social Security numbers, financial account numbers, driver’s license numbers, passport numbers, and/or credit card numbers.

While no evidence of data exfiltration was found, data theft could not be ruled out, so ReproSource notified approximately 350,000 individuals on October 21, 2023, and was promptly sued. Two class action lawsuits were consolidated into a single lawsuit as they made similar allegations – that ReproSource was negligent by failing to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to patient data. The lawsuits alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and data breach notification and consumer protection laws in Massachusetts.

The decision was taken to settle the litigation with no admission of wrongdoing. Under the terms of the settlement, class members may submit claims for up to $3,000 to cover out-of-pocket, unreimbursed losses that are reasonably traceable to the data breach, including up to 8 hours of lost time, three years of credit monitoring services, and a $1 million identity theft insurance policy. Alternatively, class members can claim a cash payment of $50. $1.25 million has been set aside to cover claims, which will be paid pro rata if that total is reached. Class members who were California residents at the time of the breach will be entitled to an additional $50 payment.

The consolidated lawsuit also sought injunctive relief, which included major upgrades to data security to prevent similar cyberattacks and data breaches in the future. The settlement also includes the requirement for ReproSource to make significant improvements to its information security program, including enhancing its monitoring and detection tools. The settlement will need to receive final approval from a Massachusetts judge.

The post ReproSource Fertility Diagnostics Proposes $1.25 Million Class Action Data Breach Settlement appeared first on HIPAA Journal.

HMG Healthcare Data Breach Affects 80,000 Individuals

Posted by Steve Alder

HMG Healthcare, LLC, a Texas-based healthcare services provider, has recently confirmed that the protected health information of up to 80,000 individuals was exposed and potentially stolen in a cyberattack that was detected in November 2023.

A forensic investigation was launched after suspicious network activity was detected, which confirmed that unauthorized individuals first gained access to its network in August 2023. The investigation also confirmed that unencrypted files were copied but it “was not feasible” to identify exactly what types of information were obtained by the hackers. It is unclear why that determination was made, such as whether there was insufficient logging or if a comprehensive review would prove too timely and costly. HMG Healthcare said the files that were removed from its network likely contained information such as names, dates of birth, contact information, general health information, medical treatment information, Social Security numbers, and/or employment records.

The exact nature of the attack was not disclosed; however, HMG Healthcare did explain that it “worked diligently to ensure the stolen files were not further shared by the hackers,” which suggests that the hacking group behind the attack attempted to extort HMG Healthcare and payment was made to prevent the publication/sale of the stolen data. It is currently unclear which group was behind the attack.

The breach has affected employees and residents at 40 affiliated nursing facilities in Texas and Kansas:

  • Accel at College Station
  • Arbor Court Retirement Community at Alvamar (Independent Living)
  • Arbor Court Retirement Community at Salina (Independent Living)
  • Arbor Court Retirement Community at Topeka (Independent Living)
  • Arbrook Plaza
  • Cimarron Place Health & Rehabilitation Center
  • Crowley Nursing and Rehabilitation
  • Deerbrook Skilled Nursing & Rehab
  • Forum Parkway Health & Rehabilitation
  • Friendship Haven Healthcare & Rehab Center
  • Green Oaks Nursing and Rehabilitation
  • Gulf Pointe Plaza
  • Gulf Pointe Village (Assisted Living Only)
  • Harbor Lakes Nursing and Rehabilitation Center
  • Hewitt Nursing and Rehabilitation
  • Holland Lake Rehabilitation and Wellness Center
  • Lone Star Rehabilitation and Wellness Center
  • Methodist Transitional Care Center
  • Mission Nursing and Rehabilitation Center
  • Northgate Plaza (Legacy)
  • Park Manor of BeeCave (Legacy)
  • Park Manor of Conroe
  • Park Manor of CyFair
  • Park Manor of Cypress Station
  • Park Manor of Humble
  • Park Manor of Mckinney (Legacy)
  • Park Manor of Quail Valley
  • Park Manor of South Belt
  • Park Manor of The Woodlands
  • Park Manor of Tomball
  • Park Manor of Westchase
  • Pecan Bayou Nursing and Rehabilitation
  • Red Oak Health and Rehabilitation Center
  • Silver Spring Health & Rehabilitation Center
  • Smoky Hill Health and Rehabilitation
  • Stallings Court Nursing and Rehabilitation
  • Stonegate Nursing and Rehabilitation
  • Tanglewood Health and Rehabilitation
  • Treviso Transitional Care
  • Willowbrook Nursing Center

The substitute breach notice on the HMG Healthcare website advises the affected individuals to monitor their account statements and credit reports to identify any suspicious activity but makes no mention of credit monitoring and identity theft protection services being offered. HMG Healthcare said it has increased its data security protocols to prevent similar cyberattacks and data breaches in the future.

The post HMG Healthcare Data Breach Affects 80,000 Individuals appeared first on HIPAA Journal.

PHI Exposure Reported by Lone Peak Physical Therapy and First Choice Dental

Posted by Steve Alder

Patient Records Potentially Viewed at Lone Peak Physical Therapy

Lone Peak Physical Therapy, the operator of 10 physical therapy centers in Montana, had a break-in at its Bozeman billing office and clinical space on October 21, 2023. The robbery was detected on Monday, October 23, 2023, when staff returned to work. The robbery was reported to law enforcement and an inventory was conducted to determine which items had been stolen. They included a safe containing patient payments, billing information, and laptop computers. The laptop computers were encrypted so data on those devices cannot be accessed, nor can they be used to access the network. If the intruder attempts to pawn any of the stolen data, the Gallatin County Sheriff’s Department will be notified.

There were locked filing cabinets in the office that contained hard copies of patient records. Lone Peak Physical Therapy said none of the hard copies appear to have been removed, but it is not possible to tell if any of those files were viewed. The files contained the records of 5,809 patients and out of an abundance of caution, those individuals have been offered complimentary credit monitoring services.

“Lone Peak apologizes for the stress and worry this situation may have caused its patients and is taking appropriate measures to avoid an incident of this nature from happening in the future.”

First Choice Dental Alerts Patients About the Potential Exposure of their PHI

First Choice Dental, the operator of 11 clinics in Madison and Dane County, WI, has recently reported a 1,000-record data breach to the Office for Civil Rights. Since this is an interim notification, that figure may be amended up or down pending the completion of its investigation.

According to its notification letters, unauthorized network activity was detected on October 22, 2023. A third-party cybersecurity firm was engaged to investigate the breach and determined that an unauthorized third party had accessed its network. The investigation into the incident is ongoing and the data exposed is still being analyzed. Formal data breach notifications will be mailed to the affected individuals when the investigation and file review is completed and it has been determined exactly what types of data have been exposed. In the interim, out of full transparency, patients have been informed about the cyberattack via a website notice.

First Choice Dental took prompt action to block any further access to its network and has implemented several additional safeguards to better protect patient data. They include an XDR/EDR solution on all PC & server endpoints, immutable off-site backups of critical servers and site servers, full password resets for admin accounts, removal of unnecessary admin accounts, patching of the ESXiArgs vulnerability on its Vmware vSphere environment, and the implementation of a fine-grained AD password policy for all users. First Choice Dental is also replacing its multifactor authentication and firewall and has disabled remote access until the implementation is complete.

Credit should be given to First Choice Dental for the transparency about the data breach and for providing a detailed interim notification to patients.

The post PHI Exposure Reported by Lone Peak Physical Therapy and First Choice Dental appeared first on HIPAA Journal.

Former Executive Sentenced to Probation for HIPAA Violation

Posted by Steve Alder

Mark Kevin Robison, a former vice president of Commonwealth Health Corporation (now Med Center Health) in Kentucky has been sentenced to 2 years’ probation and ordered to pay $140,000 in restitution after reaching a plea agreement with federal prosecutors over a HIPAA violation.

Robison pled guilty to knowingly disclosing the protected health information of patients of Commonwealth Health Corporation (CHC) under false pretenses to an unauthorized third party between 2014 and 2015. Robison did not have authorization from the patients concerned nor from CHC to disclose the records.

While Vice President of CHC, Robison hired Randy Dobson as a patient account collection vendor for CHC. In March 2011, Robison and Dobson set up a corporation – OPTA LLC – in Kentucky. The pair were the only registered members and Robison was the registered agent. Dobson was developing a software solution and together the pair hoped to market the software to healthcare companies.

OPTA Kentucky was dissolved in 2014, and Delaware OPTA was incorporated the same year with Dobson listed as the sole owner. Delaware OPTA continued to develop the same software, and Robison hoped to share in the profits from the sale of the software when he left CHC. In 2014, Robison instructed the CHC IT department to share patient data with Dobson to test the software. The disclosures occurred between 2014 and 2015 without authorization from CHC or the patients concerned.

CHC learned of the relationship between Robison and Dobson, Robison was fired by CHC in December 2016, and the HIPAA violation was reported to law enforcement. Dobson is not believed to have disclosed the patient data to any other individuals and only used the data to test the software. While patients appear not to have suffered any harm, the potential penalty for the violation was severe.

Robison faced a maximum penalty of five years imprisonment and a fine of up to $100,000 for the HIPAA violation. Robison pled guilty to one count of impermissibly disclosing protected health information in a plea deal that saw him avoid jail and instead be placed on probation for 2 years. Robison was also ordered to pay CHC $140,000 in restitution. Half of that amount has already been paid and Robison intends to pay the remainder by the end of January.

The post Former Executive Sentenced to Probation for HIPAA Violation appeared first on HIPAA Journal.