Wakefern Food Corporation has agreed to pay $235,000 in civil financial penalties to resolve allegations of violations of federal and state laws related to a data breach involving the protected health information of 9,700 customers of two ShopRite supermarkets in Millville, Cumberland County and Kingston, New York. In addition to the financial penalties, the settlement requires improvements to be made to data security practices.

Wakefern Food Corporation is the parent company of Union Lake Supermarket, LLC, which owns the Shoprite store in Millville and ShopRite Supermarkets, Inc., which owns the ShopRite store in Kingston, NY.

In 2016, Wakefern replaced electronic devices that were used to collect customer signatures and purchase information at the two locations. The old devices were disposed of in regular dumpsters without first destroying the devices or purging/clearing the stored data to ensure sensitive information could not be recovered. The devices contained the protected health information of 9,700 customers of the two stores including names, contact information, zip codes, driver’s license numbers, dates of birth, prescription numbers, prescription types, pickup and delivery dates.

After receiving reports about the improper disposal of ePHI, the New Jersey Division of Consumer Affairs launched an investigation and determined the disposal of the devices was in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and there had been multiple violations of the state’s fraud act. Staff at the stores had also not been provided with appropriate training on the handling and disposal of sensitive information.

“Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes,” said New Jersey Attorney General Gurbir S. Grewal. “Those who compromise consumers’ private health information face serious consequences.”

Wakefern has agreed to pay $209,856.50 in civil penalties and $25,143.50 for reimbursement of attorneys’ fees and investigative costs and will implement protective measures to ensure future data branches are prevented. Those measures include appointing a chief privacy officer, executing a business associate agreement with ShopRite Supermarkets, Union Lake, and each of the members that operate pharmacies within the supermarkets, and ensuring appropriate measures are implemented to safeguard protected health information. Each of the ShopRite stores that has a pharmacy is required to appoint a HIPAA privacy officer and HIPAA security officer to oversee compliance and online training must be provided for those officers on their privacy and security roles.

“New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that place consumers at risk for privacy invasion and identity theft.”

The post Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000 appeared first on HIPAA Journal.

The City of New Haven, Connecticut has agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights to resolve a HIPAA violation case.

An OCR investigation was launched in May 2017 following receipt of a data breach notification from New Haven on January 24, 2017. OCR investigated whether the data breach was linked to potential violations of HIPAA Rules.

During the investigation, OCR discovered the New Haven Health Department had terminated an employee on July 27, 2016 during her probationary period. The former employee returned to the New Haven Heath Department on July 27, 2016 with her union representative and used her work key to access her old office, where she locked herself inside with her union representative.

While in her office, the former employee logged into her old computer using her username and password and copied information from her computer onto a USB drive. She also removed personal items and documents from the office, and then exited the premises. A file on the computer contained the protected health information of 498 patients, including names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results. That file was downloaded onto the USB drive. The actions of the former employee were witnessed by an intern.

OCR investigators also determined that the former employee had shared her login credentials with an intern, who continued to use those credentials to access PHI on the network after the employee had been terminated.

Had the New Haven Health Department deactivated the former employee’s login credentials at the time of her termination, a data breach would have been prevented. If all users had been given their own, unique login credentials, it would have been possible to accurately determine the system activity of each individual and identify their interactions with electronic protected health information.

OCR concluded that between December 1, 2014 to December 31, 2018, HIPAA Privacy Rule policies and procedures had not been implemented, New Haven had not implemented procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends, and New Haven had failed to assign unique usernames and passwords to track user identity.

An accurate organization-wide risk assessment had not been performed to identify the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information and there had been an impermissible disclosure of the PHI of 498 individuals.

In addition to the financial penalty, the City of New Haven has agreed to adopt a corrective action plan to address all areas of noncompliance. OCR will monitor the City of New Haven for HIPAA compliance for two years from the date of the resolution agreement.

“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.

The settlement is the 4th to be announced by OCR in October 2020, and the 15th HIPAA financial penalty of 2020.

The post Failure to Terminate Former Employee’s Access Rights Results in $202,000 HIPAA Fine for New Haven, CT appeared first on HIPAA Journal.

Aetna Life Insurance Company and the affiliated covered entity (Aetna) has agreed to settle multiple potential HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) that were discovered during the investigation of three data breaches that occurred in 2017.

The first of those data breaches was reported to OCR in June 2017 and concerned the exposure of the protected health information (PHI) of health plan members over the Internet. Two web services were used to display health plan-related documents to its members, but those documents could be accessed over the Internet without the need for any login credentials.

The lack of authentication allowed the documents to be indexed by search engines and displayed in search results. Aetna’s investigation revealed the PHI of 5,002 individuals had been exposed, which included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service.

The second two HIPAA breaches involved the exposure and impermissible disclosure of highly sensitive information in two mailings to plan members. In both mailings, window envelopes had been used which allowed PHI to be viewed without opening the envelopes.

The first mailing in July 2017 saw benefit notices sent to 11,887 individuals who were receiving HIV medication, either for treatment or prophylaxis. The words “HIV medication” could be seen through the windows of the envelope, along with the name and address of each individual.

The second mailing, sent in September 2017, concerned a research study on individuals with an irregular heart rhythm. Through the windows of the envelope the name and logo of the atrial fibrillation research study were clearly visible along with the name and address of the recipient. The mailing was sent to 1,600 individuals.

These three incidents resulted in the impermissible disclosure of the PHI of 18,489 individuals and during the course of the investigation OCR investigators uncovered several other violations of the HIPAA Rules.

• Aetna had not performed periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI), in violation of 45 C.F.R. § 164.308(a)(8);
• Procedures had not been implemented to verify the identity of individuals or entities looking to access their ePHI, in violation of 45 C.F.R. § 164.312(d);
• Disclosures of ePHI had not been limited to the minimum necessary information to achieve the purpose for the disclosure, in violation of 45 C.F.R. § 164.514(d); and
• There was a lack of appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in violation of 45 C.F.R. § 164.530(c).

“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said OCR Director Roger Severino.

In addition to the financial penalty, Aetna has agreed to adopt a corrective action plan to address all areas of HIPAA noncompliance discovered by OCR. OCR will be monitoring Aetna closely for noncompliance with the HIPAA Rules for 2 years.

Settlements totaling $2,725,170 were agreed in 2018 to resolve HIPAA violation cases brought by state attorneys general in California ($935,000), Connecticut ($99,959), New Jersey ($365,211.59), New York ($1,150,000) and the District of Columbia ($175,000) over these data breaches. In 2018, Aetna also settled a class action lawsuit filed on behalf of victims of the HIV medication mailing incident for $17 million.

This year has already seen more penalties imposed on covered entities and business associates than any other year since OCR was given the authority to impose fines for HIPAA violations. There have been 14 settlements announced this year totaling $13,211,500.

The post Aetna Slapped with $1 Million HIPAA Fine for Three Data Breaches appeared first on HIPAA Journal.

The HHS’ Office for Civil Rights (OCR) is continuing its crackdown on healthcare providers that are not fully complying with the HIPAA right of access. Last week, OCR announced its ninth enforcement action against a HIPAA-covered entity for the failure to provide patients with timely access to their medical records at a reasonable cost.

HIPAA gives patients the right to view or receive a copy of their medical records. When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received.

By obtaining a copy of their medical records, patients can share those records with other providers, research organizations, or individuals of their choosing. Patients can check their medical records for errors and submit requests to correct any mistakes. In the event of a ransomware attack that renders medical records inaccessible, patients who have a copy of their records ensure that their health histories are never lost.

Under the OCR HIPAA Right of Access Initiative, complaints from individuals who have been denied access to their medical records or have faced delays in receiving a copy of their records are investigated. When violations of the HIPAA right of access are uncovered, financial penalties are issued. The aim of penalties is to encourage compliance by making noncompliance very costly.

The latest financial penalty was imposed on NY Spine, a private medical practice with offices in New York and Miami that specializes in neurology and pain management. OCR received a complaint from a patient in July 2019 who claimed to have sent multiple requests to NY Spine in June 2019 requesting a copy of her protected health information.

NY Spine responded to the requests and provided some of her records but failed to provide the diagnostic films that she had specifically requested. It took intervention from OCR for NY Spine to provide those records. The patient was finally provided with a complete copy of all the requested records in October 2020, 16 months after the first request was submitted.

NY Spine and OCR agreed to settle the case for $100,000. NY Spine is also required to adopt a corrective action plan and will be monitored by OCR for compliance for 2 years.

“No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message,” said Roger Severino, OCR Director.

The post OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative appeared first on HIPAA Journal.

The Department of Health and Human Services’ Office for Civil Rights has announced its 12^th HIPAA penalty of 2020 and its 8^th under the HIPAA Right of Access enforcement initiative that was launched in 2019. The $160,000 settlement is the largest HIPAA penalty to date for a failure to provide an individual with timely access to their requested medical records.

On January 24, 2018, Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), received a request from the mother of a patient who wanted a copy of her son’s medical records. The mother was acting as the personal representative of her son. After not receiving all of the requested records by April 25, 2018, the mother lodged a complaint with the Office for Civil Rights.

OCR investigated the potential HIPAA violation and determined the complainant had requested four specific sets of medical records from SJHMC. The first request was sent on January 24, 2018, and the same records were requested on March 22, April 3, and May 2, 2018.

SJHMC did respond to the requests and provided some, but not all, of the requested records. The mother made contact with SJHMC again on May 2, May 10 and May 15, 2018 to request the records that had not been provided. SJHMC responded and sent additional records, but not the specific records that had been requested. It took until December 19, 2019 for SJHMC to provide all the records she had requested – 22 months after the initial request had been sent.

SJHMC agreed to pay the $160,000 financial penalty to settle the case with no admission of liability. SJHMC will also adopt a corrective action plan to address all areas of noncompliance and will be monitored for compliance by OCR for two years.

“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously.  OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.

The post OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure appeared first on HIPAA Journal.