HIPAA Breach News

Resources for Human Development, WellStar Health & Central Vermont Eye Care Announce Data Breaches

Posted by HIPAA Journal

Resources for Human Development Reports Breach Affecting 46,673 Individuals

The Philadelphia, PA-based national human services nonprofit organization, Resources for Human Development (RHD), has recently confirmed that a hard drive containing the protected health information of 46,673 individuals has been stolen. The theft occurred on or around January 27, 2022, and was discovered by RHD on February 16, 2022.

The hard drive was used for its Point-to-Point program in Exton, PA, and contained information such as names, Social Security Numbers, drivers’ license numbers, financial account information, payment card information, dates of birth, prescription information, diagnosis information, treatment information, treatment providers, health insurance information, medical information, Medicare/Medicaid ID numbers, employer identification numbers, electronic signatures, usernames and passwords of clients and staff members.

RHD said it engaged outside forensics specialists to investigate the extent of the breach and ensure the security of its offices and computer servers. Training has also been provided to employees on best practices for protecting confidential information.

LockBit Ransomware Gang Claims Data Stolen from Tague Family Practice

The LockBit ransomware gang claims to have gained access to the systems of Tague Family Practice in St. Louis, MO, and exfiltrated sensitive data, some of which contained patients’ personal and protected health information.

A sample of the stolen data has been uploaded onto the gang’s data leak site. According to Databreaches.net, which was able to access a sample of the data, the data included claims and billing-related information. The data was uploaded to the leak site on March 17, 2022.

At this stage, Tague Family Practice has not confirmed a data breach has occurred and the incident has not appeared on the HHS’ Office for Civil Rights breach portal.

Email Breach Confirmed by Wellstar Health

Atlanta, GA-based Wellstar Health has recently confirmed that employee email accounts were accessed by unauthorized individuals who may have accessed or obtained patient information. Wellstar Health learned about the security breach on February 7, 2022, with the forensic investigation confirming that the breach was limited to two email accounts. No other systems were compromised.

The email accounts were discovered to have been compromised between December 6, 2021, and January 3, 2022. Upon discovery of the breach, the email accounts were immediately disabled and secured. A review of the accounts confirmed they contained protected health information such as employee names, medical record numbers, Internal account numbers, and laboratory information. No evidence was found to indicate any patient information was misused.

It is currently unclear how many patients have been affected.

Central Vermont Eye Care Reports Hacking Incident Affecting 30,000 Patients

A hacking incident has recently been reported by the Rutland, VT-based ophthalmology practice, Central Vermont Eye Care. The exact nature of the hacking incident is unclear at this stage; however, it has been confirmed that unauthorized individuals potentially gained access to the protected health information of up to 30,000 patients. Notification letters were sent to those individuals on April 6, 2022.

This post will be updated when further information becomes available.

The post Resources for Human Development, WellStar Health & Central Vermont Eye Care Announce Data Breaches appeared first on HIPAA Journal.

Increase in Class Action Lawsuits Following Healthcare Data Incidents

Posted by HIPAA Journal

The law firm BakerHostetler has published its 8th Annual Data Security Incident Response (DSIR) Report, which provides insights based on 1,270 data security incidents managed by the firm in 2021. 23% of those incidents involved data security incidents at healthcare organizations, which was the most targeted sector.

Ransomware Attacks Increased in 2021

Ransomware attacks have continued to occur at elevated levels, with them accounting for 37% of all data security incidents handled by the firm in 2021, compared to 27% in 2020 and there are no signs that attacks will decrease in 2022. Attacks on healthcare organizations increased considerably year over year. 35% of healthcare security incidents handled by BakerHostetler in 2021 involved ransomware, up from 20% in 2022.

Ransom demands and payments decreased in 2021. In healthcare, the average initial ransom demand was $8,329,520 (median $1,043,480) and the average ransom paid was $875,784 (median $500,846) which is around two-thirds of the amount paid in 2020. Restoration of files took an average of 6.1 days following payment of the ransom, and in 97% of cases, data was successfully restored after paying the ransom.

Data exfiltration is now the norm in ransomware attacks. 82% of the ransomware attacks handled by BakerHostetler in 2021 included a claim that the attackers had exfiltrated data prior to encrypting files. In 73% of those incidents, evidence of data theft was uncovered, and 81% required notice to be provided to individuals. The average number of notifications was 81,679 and the median number of notifications was 1,002.

The threat of the exposure of stolen data prompted many organizations to pay the ransom. 33% of victims paid the ransom even though they were able to partially restore files from backups and 24% paid even though they had fully restored files from backups.

There was also an increase in business email compromise (BEC) attacks, where phishing and social engineering are used to access organizations’ email accounts, which are then used to trick organizations into making fraudulent payments. While there was an improvement in detection in time to recover transferred funds – 43% compared to 38% in 2020 – there was an increase in the number of organizations that had to provide notifications about the incident to individuals and regulators, jumping from 43% of incidents in 2020 to 60% in 2021.

Class Action Lawsuits are More Common, Even for Smaller Data Incidents

It is now more common for organizations to face class action lawsuits after data security incidents. While class action lawsuits tended to only be filed for large data incidents, it is now increasingly common for smaller data incidents to also result in lawsuits. In 2021, 23 disclosed data incidents resulted in lawsuits being filed, up from 20 in 2020. 11 of the lawsuits related to data incidents involving the data of fewer than 700,000 individuals, with 3 lawsuits filed in relation to incidents that affected fewer than 8,000 individuals.

BakerHostetler identified a trend in 2021 for multiple class action lawsuits to be filed following a data incident. More than 58 lawsuits were filed related to the 23 incidents, and 43 of those lawsuits were in response to data breaches at healthcare organizations.

“There was always a risk of multidistrict litigation following large data incidents. However, now we are seeing multiple lawsuits following an incident notification in the same federal forum. Or, in the alternative, we see a handful of cases in one federal forum and another handful of cases in a state venue,” explained BakerHostetler in the report. “This duplicative litigation trend is increasing the “race to the courthouse” filings and increasing the initial litigation defense costs and the ultimate cost of settlement, due to the number of plaintiffs’ attorneys involved.”

OCR is Requesting Evidence of “Recognized Security Practices”

2021 saw record numbers of data breaches reported by healthcare organizations. 714 incidents were reported to the HHS’ Office for Civil Rights in 2021 compared to 663 in 2020, and more data breaches were referred to the Department of Justice to investigate possible criminal violations than in previous years.

In 2021, there was an amendment made to the HITECH Act to include a HIPAA Safe Harbor for organizations that have adopted recognized security practices for at least 12 months prior to a data breach occurring. BakerHostetler said that out of the 40 OCR investigations of organizations that it worked with, OCR frequently asked about the recognized security practices that had been in place in the 12 months prior to the incident occurring. BakerHostetler strongly recommends organizations examine their security practices and ensure they match the definition of “recognized security practices” detailed in the HITECH amendment, and to consider further investments in cybersecurity to meet that definition if their security practices fall short of what is required.

The post Increase in Class Action Lawsuits Following Healthcare Data Incidents appeared first on HIPAA Journal.

Cyberattack on SuperCare Health Affects 318,000 Patients

Posted by HIPAA Journal

SuperCare Health, a Downey, CA-based post-acute, in-home respiratory care provider serving the Western United States, has recently started notifying 318,379 patients that some of their protected health information has been exposed and potentially accessed by unauthorized individuals in a cyberattack that occurred in July 2021.

In its March 25, 2022, breach notification letters, SuperCare Health explained that it identified unauthorized activity within its IT systems on July 27, 2021. Steps were immediately taken to secure its network and prevent further unauthorized access, and independent cybersecurity experts were engaged to investigate the nature and scope of the incident.

The investigation determined that unauthorized individuals had access to parts of its network from July 23, 2021, to July 27, 2021, and that it was possible that files on the network were accessed that contained patients’ protected health information. A comprehensive review of the contents of the files was conducted, which determined on February 4, 2022, that they contained sensitive patient data such as names, addresses, birth dates, hospital/medical group, patient account numbers, medical record numbers, health insurance information, testing/diagnostic/treatment information, other health-related information, and claims information. A subset of individuals also had their Social Security numbers and/or driver’s license numbers exposed.

SuperCare Health said the security breach prompted a review of its security safeguards and additional security measures have now been implemented to better protect the personal and protected health information of its patients.

SuperCare Health is offering affected individuals a complimentary membership to an identity theft protection service, which includes credit monitoring, dark web monitoring, and an identity theft reimbursement insurance policy.

Englewood Health Warns 3,900 Patients About PHI Exposure

Englewood Health, the operator of an acute care 289-bed teaching hospital in Englewood, NJ, has recently reported a security breach that involved the protected health information of 3,901 patients. On February 14, 2022, Englewood Health learned that the username and password of an employee had been compromised, which allowed an unauthorized individual to access patient names, dates of birth, and limited health information. Englewood Health said the unauthorized actor had access to patient data for less than 40 minutes before the intrusion was identified and blocked.

In response to the breach, Englewood Health has upgraded its physical, administrative, and technical network controls. Patients have now been notified by mail and while only a limited amount of data was exposed, complimentary credit monitoring services have been offered to affected patients.

The post Cyberattack on SuperCare Health Affects 318,000 Patients appeared first on HIPAA Journal.

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits.

The aim of the HIPAA Safe Harbor Act was to encourage HIPAA-regulated entities to implement cybersecurity best practices, with the reward being lower financial penalties for data breaches and less scrutiny by the HHS if industry-standard security best practices have been implemented for the 12 months prior to a data breach occurring.

Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments with individuals who have been harmed as a result of the violations for which the penalties have been applied. The HITECH Act calls for a methodology to be established by the HHS for determining appropriate amounts to be shared, based on the nature and extent of the HIPAA violation and the nature and extent of the harm that has been caused.

Earlier this year, the recently appointed Director of the HHS’ Office for Civil Rights (OCR) – Lisa J. Pino – confirmed that these two requirements of the HITECH Act were being addressed this year. Yesterday, OCR published the RFI in the Federal Register seeking public comment on these two requirements of the HITECH Act.

Specifically, OCR is seeking feedback on what constitutes “Recognized Security Practices,” the recognized security practices that are being implemented to safeguard electronic protected health information by HIPAA-compliant entities, and how those entities anticipate adequately demonstrating that recognized security practices are in place. OCR would also like to learn about any implementation issues that those entities would like to be clarified by OCR, either through further rulemaking or guidance, and suggestions on the action that should initiate the beginning of the 12-month look-back period, as that is not stated in the HIPAA Safe Harbor Act.

One of the main issues with the requirement to share CMPs and settlements with victims is the HITECH Act has no definition of harm. OCR is seeking comment on the types of “harms” that should be considered when distributing a percentage of SMPs and settlements, and suggestions on potential methodologies for sharing and distributing monies to harmed individuals.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

In order to be considered, comments must be submitted to OCR by June 6, 2022.

The post OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals appeared first on HIPAA Journal.

Ransomware Gangs Claim Health Plan and Healthcare Provider Attacked

Posted by HIPAA Journal

Partnership Health Plan of California Recovering from Suspected Ransomware Attack

The Fairfield, CA-based nonprofit managed care health plan, Partnership Health Plan of California (PHC), has suffered a cyberattack that has taken its IT systems out of action for more than a week. PHC started notifying regional healthcare clinics on March 21, 2022, that its IT systems were disrupted, along with its website and phone lines and that efforts were underway to restore its systems. A timeline for when IT systems would likely be restored was not provided.

PHC did not state in its notifications what caused the outage, but it appears to have been a ransomware attack by the Hive ransomware operation. The Hive ransomware gang claimed responsibility for the cyberattack on its clear web and dark web sites and said 400 gigabytes of data was exfiltrated from PHC systems that included 850,000 unique records of name, SSNs, dates of birth, addresses, and other information. That claim has since been removed.

PHC has yet to confirm whether ransomware was used and the extent to which plan members’ data has been affected. PHC has around 618,000 health plan members in Northern California. The Hive ransomware gang is known to target the healthcare industry, having previously conducted ransomware attacks on Memorial Health System and Johnson Memorial Health last year.

Cancer and Hematology Centers of Western Michigan Suffers Ransomware Attack

Cancer and Hematology Centers of Western Michigan has recently announced it was the victim of a ransomware attack in December 2021 that affected part of its database. The healthcare provider said it partnered with a third-party IT and forensics firm to investigate the breach and restore its systems.

The breach investigation did not uncover evidence to suggest any patient data has been misused, but the parts of its systems that were accessed by the attackers contained parts of patients’ health records and employees’ Social Security numbers and bank account information.

Cancer and Hematology Centers of Western Michigan has started notifying affected individuals and complimentary credit monitoring services have been offered. Steps have been taken to strengthen data security procedures, including decommissioning several servers, providing additional training to the workforce, reviewing security policies and procedures, and contracting with a third-party company to provide ongoing security monitoring.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 43,071 individuals.

LockBit Ransomware Gang Claims to Have Attacked Val Verde Regional Medical Center

The LockBit ransomware gang has recently published data on its leak site which it claims was stolen in a ransomware attack on Val Verde Regional Medical Center in Texas.

Lockbit has published around 400 MB of data on its website which includes files that include the data of more than 96,000 patients. The files contain information such asnames, patient ID numbers, account numbers, email addresses, addresses, phone numbers, dates of birth, employer addresses, marital status, guarantor names, referring physician names, health insurance information, notes, and other information.

Val Verde Regional Medical Center has not confirmed whether the claims of the Lockbit gang are genuine and the breach is not yet showing on the HHS’ Office for Civil Rights breach portal.

The post Ransomware Gangs Claim Health Plan and Healthcare Provider Attacked appeared first on HIPAA Journal.

Spokane Regional Health District Announces Second Phishing Attack in 3 Months

Posted by HIPAA Journal

Spokane Regional Health District (SRHD) in Washington has once again fallen victim to a phishing attack. For the second time this year, the health district has announced patient data has potentially been compromised after an employee responded to a phishing email.

On March 24, 2022, SRHD announced that its IT department discovered a compromised email account, with the investigation recently confirming that the employee responded to a phishing email on February 24, 2022, and disclosed credentials that allowed the account to be accessed. Last week, SRHD confirmed that the email account contained the protected health information of 1,260 individuals. That information may have been ‘previewed’ by an unauthorized individual, although no evidence was found to suggest information had been accessed or downloaded.

Information in the account included names, birth dates, service dates, source of referral, provider hospital name, diagnosing state, whether the patient had been located, date located, patient risk level, staging level, how medications were collected, test type, test result, treatment information, medication information, delivery dates and any treatments provided to the baby, diagnostic information, medical information, and client notes.

A spokesperson for SRHD said corrective actions have been taken to mitigate the current breach and prevent further phishing attacks, including reinforcing employee cybersecurity training, implementing multifactor authentication, and performing testing on its systems.

“Much like the rest of the state of Washington, SRHD has experienced a record-level spike in phishing emails and malware installation attempts. In this instance, staff fell prey to a phishing scam which exposed confidential information to data thieves,” said SRHD Deputy Administrative Officer, Lola Phillips. “We have a strong commitment to safeguard personal information, and we are working diligently to reduce the likelihood of future events.”

On January 24, 2022, SRHD announced that an employee email account had been compromised on December 21, 2021. The email account contained the sensitive data of 1,058 individuals, including names, birth dates, case numbers, counselor names, test results and dates of urinalysis, medications, and date of last dose.

After that attack, SRHD said it will be reinforcing employee cybersecurity training, implementing multifactor authentication, and performing testing on its systems.

Catholic Health Notifies Patients About Data Theft Incident at Business Associate

Catholic Health has recently started notifying approximately 1,300 patients that some of their protected health information has been exposed in a cyberattack on its business associate, Ciox Health.

Buffalo, NY-based Ciox Health provides health information management services to healthcare providers and insurers. Between June 24, 2021, and July 2, 2021, emails and attachments in a Ciox Health employee’s email account were downloaded by an unauthorized individual.

The breach was detected last year and in September 2021, Ciox Health learned that the email account contained patient information related to billing inquiries and customer service requests. A review of the information in the account was completed in early November, and affected providers and insurers were notified between November 23 and December 30, 2021.

Catholic Health said the compromised information included patient names, provider names, dates of birth, dates of service, health insurance information, and/or medical record numbers. “While Ciox’s investigation did not find any instances of fraud or identity theft as a result of this incident, out of an abundance of caution, beginning today, Ciox is notifying affected Catholic Health patients,” said Catholic Health, in a March 30, 2022 post on its website.

The post Spokane Regional Health District Announces Second Phishing Attack in 3 Months appeared first on HIPAA Journal.

CSI Laboratories and Christie Clinic Report Data Breaches; Scripps Health Sends Additional Notification Letters

Posted by HIPAA Journal

Conti Ransomware Gang Claims Responsibility for Cyberattack on CSI Laboratories

Cytometry Specialists, Inc. doing business as CSI Laboratories in Alpharetta, GA, has recently announced it was the victim of a cyberattack that was discovered on February 12, 2022. An investigation was launched which confirmed that files containing limited patient data were exfiltrated from its systems, which mostly contained patient names and case numbers used for identifying patients, but for limited patients also included addresses, dates of birth, medical record numbers, and health insurance information.

CSI Laboratories said in its web notification that at this stage of the investigation there does not appear to have been any misuse of patient data. While CSI Laboratories did not disclose the nature of the cyberattack, the Conti ransomware gang has claimed responsibility and has published a sample of the exfiltrated data on its data leak site. CSI Laboratories said it has now brought its system back online and it is monitoring its network closely for unusual activity. There was no mention made about any ransom being paid.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Email Account Breach Reported by Christie Clinic

Christie Business Holdings Company, P.C., doing business as Christie Clinic, has recently announced a security incident involving an employee’s email account. The company’s breach notice did not say when the breach was discovered, but the forensic investigation confirmed on January 27, 2022, that the email account was accessed by an unauthorized individual between July 14, 2021, and August 19, 2021.

Christie Clinic said the purpose of the attack appeared to be to intercept a business transaction between the clinic and a third-party vendor, rather than to obtain sensitive data from the email account, but it was not possible to determine to what extent emails in the account had been accessed. Christie Clinic said the investigation confirmed that the breach was limited to a single email account and no other systems or accounts were affected. The review of information in the account revealed on March 10, 2022, that the emails included protected health information such as names, addresses, Social Security numbers, medical information, and health insurance information. Notification letters were sent to affected individuals on March 24, 2022.

Christie Clinic said it already uses industry-leading network security solutions and performs regular and ongoing data security and privacy training and additional safeguards have been implemented.

Scripps Health Sends Additional Notification Letters About 2021 Ransomware Attack

On June 1, 2021, Scripps Health in San Diego notified the HHS’ Office for Civil Rights about a ransomware attack in which the protected health information of 147,267 patients was potentially compromised. Hackers had gained access to its network between April 26, 2021, and May 1, 2021, and potentially exfiltrated files containing patient data. The attack prompted class action lawsuits and cost the healthcare provider more than 113 million in losses.

Almost a year after its network was breached, NBC 7 was contacted by a patient who received a notification letter dated March 15, 2021, informing her that her protected health information was potentially compromised in the attack, including her name, address, date of birth, health insurance information, medical record number, patient account number, and clinical information such as diagnosis or treatment information had potentially been compromised. The patient had not previously been notified about the ransomware attack.

NBC 7 contacted Scripps Health, which confirmed that the manual document review recently concluded, and it was determined that additional patient data had potentially been compromised in the attack, but declined to say how many additional patients had been affected.

The post CSI Laboratories and Christie Clinic Report Data Breaches; Scripps Health Sends Additional Notification Letters appeared first on HIPAA Journal.

Law Enforcement Health Benefits and Oklahoma City Indian Clinic Suffer Ransomware Attacks

Posted by HIPAA Journal

Oklahoma City Indian Clinic and Law Enforcement Health Benefits Inc. have confirmed they were recent victims of cyberattacks, both of which involved the use of ransomware.

Ransomware Attack Affects 85,282 Law Enforcement Health Benefits Members

Law Enforcement Health Benefits, Inc. (LEHB) has recently announced that it was the victim of a ransomware attack that was detected on September 14, 2021. External cybersecurity professionals were engaged to assist with the investigation and remediation efforts, and a manual review of files on the affected parts of the network was conducted. That process concluded on February 25, 2022, when it was confirmed that files containing the personal and protected health information of plan members had been exfiltrated from its network.

LEHB said the following types of information had been compromised: names, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, health insurance information, medical record numbers, patient account numbers, and diagnosis/treatment information.

While it was confirmed that files were exfiltrated from its systems, LEHB said it is unaware of any actual or attempted misuse of members’ information. Notification letters have been sent to individuals for whom a current address could be determined, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were potentially compromised. LEHB said it has taken steps to secure its network and improve internal procedures to allow the rapid identification and remediation of future threats.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 85,282 individuals.

Oklahoma City Indian Clinic Investigating Cyberattack

Oklahoma City Indian Clinic (OKCIC), a 501(c)(3) non-profit organization that provides healthcare services to more than 20,000 patients from 200 Native American tribes in Oklahoma, recently announced on its website and social media accounts that ‘technological issues’ and network disruption are currently being experiencing which have prevented access to certain computer systems. The attack appears to have occurred on or around March 10, 2022 and has affected the automatic refill line and mail order services of its pharmacy.

The OKCIC IT team and third-party specialists are currently investigating the incident and are working to restore access to the affected systems. No mention was made of the nature of the incident, but it appears to be a ransomware attack. The Suncrypt ransomware gang has claimed responsibility for the cyberattack and has added Oklahoma City Indian Clinic to its data leak website. According to Databreaches.net, Suncrypt claims to have stolen more than 350 GB of data prior to encrypting files, including patients’ electronic medical records and financial documents.

Suncrypt has threatened to leak the data if Oklahoma City Indian Clinic does not negotiate and pay the ransom demand. Oklahoma City Indian Clinic said the investigation into the attack is ongoing and at this stage of the investigation, no evidence of data theft has been found.

This post will be updated when further information is made available.

The post Law Enforcement Health Benefits and Oklahoma City Indian Clinic Suffer Ransomware Attacks appeared first on HIPAA Journal.

OCR Announces 4 Financial Penalties to Resolve HIPAA Violations

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first financial penalties of 2022 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Three of the cases were settled with OCR, and one resulted in a civil monetary penalty being imposed.

OCR is continuing to enforce compliance with the HIPAA Right of Access, with two of the enforcement actions resolving violations of this important HIPAA provision. One of the fines was been imposed, in part, for overcharging a patient who requested a copy of their medical records – The first financial penalty under the 2019 enforcement initiative to allege overcharging for copies of medical records. To date, OCR has imposed 27 financial penalties on healthcare providers that have failed to provide patients with timely access to their medical records. The other two cases involved impermissible disclosures of the protected health information of patients.

“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” said OCR Director Lisa J. Pino. “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”

Dental Practitioner Fined $30,000 for Noncompliance with the HIPAA Right of Access

Dr. Donald Brockley D.D.M, a solo dental practitioner in Butler, PA, was investigated by OCR over a complaint from a patient who had not been provided with a copy of the requested medical records within the time allowed by the HIPAA Privacy Rule. OCR determined that there had been a HIPAA Right of Access violation and provided Dr. Brockley with the opportunity to provide written evidence of any mitigating factors in an August 27, 2019, letter. No response was received.

OCR then notified Dr. Brockley of its intention to impose a financial penalty of $104,000, and Dr. Brockley requested a hearing with an Administrative Law Judge to contest the financial penalty. On October 8, 2021, the parties filed a joint motion to stay proceedings for 60 days, during which time an agreement was reached with both parties and the case was settled.

Dr. Brockley agreed to pay a $30,000 financial penalty and adopt a corrective action plan which included updating policies and procedures to ensure compliance with the HIPAA Right of Access.

$28,000 Financial Penalty for California Psychiatric Medical Services in HIPAA Right of Access Case

Jacob & Associates, a California provider of psychiatric medical services, was investigated by OCR over a complaint from a patient who claimed that medical records had been requested from Jacob & Associates on July 1, 2018, but had not been provided. The complainant claimed to have sent similar requests every July 1 since 2013 but had never been provided with the requested records.

After submitting the complaint to OCR, the complainant resent their record request was provided with a complete copy of the requested records on May 16, 2019, by electronic mail. However, in order for the patient to be provided with those records, she was required to travel to the practice to complete a record access form in person. She was also charged $25 for the copy of her records, and initially was only provided with an incomplete, single-page copy and had to submit another request to obtain her full records.

OCR determined that Jacob & Associates had violated the HIPAA Right of Access by not providing timely access to the patient’s medical records, had charged the patient an unreasonable non-cost-based fee, and did not have policies and procedures in place concerning the right of patients to access their protected health information.

During the investigation, OCR also determined that Jacob & Associates had not designated a HIPAA Privacy Officer and its notice of privacy practices lacked the required content. The case was settled for $28,000 and Jacob & Associates agreed to a corrective action plan to address all areas of alleged non-compliance.

$50,000 Civil Monetary Penalty Imposed on Dental Practice for Social Media HIPAA Violation

Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., (UPI), a dental practice with offices in Charlotte and Monroe, NC, was investigated by OCR after a patient submitted a complaint in November 2015 alleging an unauthorized disclosure of his protected health information in response to a negative online review of the practice.

On or around September 28, 2015, the complainant, using a pseudonym to protect his privacy, posted a negative review on UPI’s Google page.  UPI responded to the review and claimed the accusations made by the patient were unsubstantiated; however, UPI identified the patient and mentioned the patient’s full name on three occasions in the response, the symptoms the patient was experiencing, and the treatment that was recommended but not provided.

OCR reviewed the complaint and requested documentation from UPI in July 2016 on its policies and procedures covering responses to online reviews and social media, uses and disclosures of PHI, safeguarding PHI, and details of HIPAA training that was provided prior to, and in response to, the incident. UPI confirmed that a response had been posted to the Google page, but only provided OCR with its notice of privacy practices.

In August 2016, OCR informed UPI that the response to the review violated the HIPAA Privacy Rule and was an impermissible disclosure of PHI and told UI to remove its response to the review and implement policies and procedures, if they had not already been implemented, covering online reviews and social media. In 2017, OCR requested a copy of the policies and procedures and again told UPI to remove the response to the review.

Only an acknowledgment of training was provided to OCR, and it did not include any of the training content. The response to the review was not removed. OCR then requested financial statements to be used to determine an appropriate financial penalty, but UPI refused to provide them claiming they were not related to HIPAA. After OCR explained why they were required, UPI responded in September 2017 and refused to provide the records, and included the statement “I will see you in court”.

After receiving and failing to respond to an administrative subpoena requesting the provision of policies and procedures, training, income statements, balance sheets, statements of cash flow, and federal tax returns, and the failure to respond to further communications, OCR obtained the authorization of the Attorney General of the United States and imposed a civil monetary penalty of $50,000 under the penalty tier of wilful neglect with no correction.

Dental Practice Fined $62,500 for Impermissible Disclosure of PHI for Marketing Purposes

Northcutt Dental-Fairhope, LLC (Northcutt Dental), a Fairhope, AL dental practice, was investigated by OCR over an impermissible disclosure of PHI. Dr. David Northcutt, the operator and owner of Northcutt Dental, ran for state senator for Alabama District 32 in 2017. Dr. Northcutt engaged a campaign manager and a third-party marketing company to provide assistance with the state senate election campaign. The campaign manager was provided with an Excel spreadsheet that included the names and addresses of 3,657 patients, and letters were sent to those individuals to notify them that Dr. Northcutt was running for state senate.  The email addresses of those individuals, along with the email addresses of a further 1,727 patients, were provided to the marketing company Solutionreach to send a campaign email.

OCR determined that the disclosures of PHI to the campaign manager and third-party marketing company were impermissible disclosures of PHI. OCR also determined that Northcutt Dental had not appointed a HIPAA Privacy Officer until November 14, 2017, and policies and procedures related to the HIPAA Privacy and Breach Notification Rules were not implemented until January 1, 2018. The case was settled and Northcutt Dental agreed to a $62,500 penalty and a corrective action plan to address the alleged areas of non-compliance.

The post OCR Announces 4 Financial Penalties to Resolve HIPAA Violations appeared first on HIPAA Journal.