Legal News

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members.

On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members.

The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents.

The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised.

That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed on mailing labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

In addition to the financial penalty, EmblemHealth has agreed to make changes to its policies and procedures to prevent further breaches of plan members’ PHI. Those measures include the use of unique patient identifiers for mailings rather than HCINs or Medicare Beneficiary Identifiers.

EmblemHealth will also ensure that a formal transfer process takes place when the responsibilities of outgoing staff are passed on to other EmblemHealth employees or third parties, and that all necessary training will be provided.

All incoming employees will also be required to complete additional privacy and security training modules and refresher training sessions will be conducted annually. The New Jersey Division of Consumer Affairs will be monitoring EmblemHealth over the next three years and must be informed of any further breaches of the PHI of New Jersey customers.

“This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.

New Jersey has been highly active as an enforcer of HIPAA Rules and has agreed four settlements in 2018 to resolve violations of HIPAA Rules. In addition to the EmblemHealth HIPAA fine, New Jersey has settled HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.

The post EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach appeared first on HIPAA Journal.

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against the Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system.

Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.

CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

The failure to implement appropriate access controls is a violation of the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.

The hospital has been fined €400,000 ($455,050) for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.

This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalty is well below the maximum fine that can be issued for a GDPR violation, which is up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.

In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to the chat platform Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.

Knuddels.de was fined €20,000 ($22,750). The relatively low fine was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.

The post First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine appeared first on HIPAA Journal.

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals.

Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures.

A Failure to Implement Adequate Security Controls

The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data security measures to protect individual’s health information from unauthorized access.”

The breach in question occurred between May 7 and May 26, 2015. Hackers were able to gain access to its WebChart electronic health record system and highly sensitive patient information – The exact types of data sought by identity thieves – Names, addresses, dates of birth, Social Security numbers, and health information.

Known Vulnerabilities Were Not Corrected

Medical Informatics Engineering had set two ‘tester’ accounts, one of which could be accessed with the username and password ‘tester’ and the other with the username and password ‘testing.’ Both accounts could be accessed remotely without the need for any further identification. The lawsuit alleges Medical Informatics Engineering was aware of the security issue as the accounts were identified as high risk by a third-party penetration testing firm, Digital Defense, in January 2015. Even though the accounts were high risk, Medical Informatics Engineering continued to use the accounts. The accounts were set up to enable one of its healthcare provider clients to login without having to use unique usernames and passwords.

While those accounts did not have privileged access, they did allow the hackers to gain a foothold in the network. Through those accounts the attackers conducted an SQL injection attack, which allowed them to gain access to other accounts with administrative privileges that were used to exfiltrate data.

Post-Breach Response Failures

While the initial attack and data exfiltration went unnoticed, a further attempt to exfiltrate data using malware caused network performance to slow to such an extent that an alarm was generated, alerting Medical Informatics Engineering that its systems had been compromised. While investigating the malware attack the attackers were still able to exfiltrate further data through SQL queries demonstrating the company’s post-breach response was “inadequate and ineffective.”

No Encryption or Employee Security Awareness Training

No encryption had been used to protect stored data and no security system had been implemented to alert Medical Informatics Engineering about possible hacking attempts. Had such a system been implemented, it would have been easy to identify unauthorized access as two of the IP addresses used by the attackers originated in Germany.

The lawsuit also alleges Medical Informatics Engineering had no documentation to confirm security awareness training had been provided to its employees prior to the data breach.

In addition to violations of HIPAA Rules, the lawsuit alleges Medical Informatics Engineering violated several state statutes relating to the protection of personal information, unfair and deceptive practices, and data breach notifications.

The post 12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering appeared first on HIPAA Journal.

DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks

The U.S. Department of Justice has announced significant progress has been made in the investigation of the threat actors behind the SamSam ransomware attacks that have plagued the healthcare industry over the past couple of years.

The DOJ, assisted the Royal Canadian Mounted Police, Calgary Police Service, and the UK’s National Crime Agency and West Yorkshire Police, have identified two Iranians who are believed to be behind the SamSam ransomware attacks.

Both individuals – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – have been operating out of Iran since 2016 and have been indicted on four charges:

  • Conspiracy to commit fraud and related computer activity
  • Conspiracy to commit wire fraud
  • Intentional damage to a protected computer
  • Transmitting a demand in relation to damaging a protected computer

The DOJ reports that this is the first ever U.S. indictment against criminals over a for-profit ransomware, hacking, and extortion scheme.

In contrast to many threat actors who use ransomware for extortion, the SamSam ransomware group conducts targeted, manual attacks on organizations. Most ransomware gangs use spam email and other mass distribution techniques to infect as many individuals as possible.

The SamSam ransomware group exploits vulnerabilities and conducts brute force RDP attacks to gain access to systems, then investigates networks and moves laterally before manually deploying ransomware on as many computers as possible.

This method of attack allows the threat actors to inflict maximum damage. With a large percentage of an organization’s computers and systems taken out of action, the gang can issue large ransom demands. The ransoms demanded are typically in the range of $5,000 to $50,000, with the amount based on the number of devices that have been encrypted.

In the two years that the gang has been deploying SamSam ransomware, approximately $6,000,000 in ransom payments have been collected from around 200 victims. Many victims chose not to pay the ransom demands but still incurred significant costs mitigating the attacks. The DOJ estimates that in addition to the ransom payments, additional losses from downtime due to the attacks has exceed $30 million.

The gang’s list of victims is long and includes the cities of Newark, New Jersey and Atlanta, the Colorado Department of Transportation, and the Port of San Diego. Healthcare industry victims include Hancock Health, Adams Memorial Hospital, Kansas Heart Hospital, Allied Physicians of Michiana, Cass Regional Medical Center, Nebraska Orthopedic Hospital, LabCorp of America, Allscripts, and MedStar Health.

Research by Sophos indicates 26% of attacks were on the healthcare organizations, 13% were on government agencies, 11% were on educational institutions, and 50% were on private companies. The attacks have primarily been conducted on organizations in the United States, with other victims spread across Canada, the UK, and the Middle East.

The DOJ said the SamSam ransomware gang “engaged in an extreme form of 21st-century digital blackmail, attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay.”

The DOJ will continue to work with international law enforcement agencies to gather evidence and bring those responsible to justice.

The DOJ has also taken the opportunity to spread the message that all industry sectors are at risk of being attacked. “This indictment highlight[s] the need for businesses, healthcare institutions, universities, and other entities to emphasize cyber security, increase threat awareness, and harden their computer networks,” wrote the DOJ in a press release announcing the indictment.

The post DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks appeared first on HIPAA Journal.

UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court

A lawsuit filed by employees affected by a data breach at University of Pennsylvania Medical Center (UPMC) has been revived by the Pennsylvania Supreme Court.

The lawsuit was filed after hackers stole the information of approximately 62,000 current and former UPMC employees in a data breach discovered by UPMC in February 2014. The stolen information included names, addresses, Social Security numbers, tax information, and bank account numbers. The information was used to file fraudulent tax returns in employees’ names to receive tax refunds.

According the lawsuit, “As a result of UPMC’s negligence, employees incurred damages relating to fraudulently filed tax returns and are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”

UPMC argued that there is no cause of action for negligence as no property damage or physical injury was alleged by its employees. In Pennsylvania, no cause of action exists for negligence that solely results in economic losses.

The lawsuit was thrown out by two lower courts; however, last week the lawsuit was reinstated by the state’s high court. Justice Max Baer wrote in the opinion that UPMC had a responsibility to address risks that arise from the collection of sensitive data and had a legal duty to protect sensitive information provided by its employees. UPMC breached its common-law duty to exercise reasonable care and safeguard information stored on an Internet-accessible computer system. All six Supreme Court judges agreed that UPMC was responsible for protecting the sensitive data of its employees.

Baer confirmed that “Under Pennsylvania’s economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.”

The case will now return to the lower court for review. If UPMC is found to have been negligent, UPMC may be required to pay monetary damages to employees who suffered economic losses as a result of the data breach.

The post UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court appeared first on HIPAA Journal.

Former Chilton Medical Center IT Worker Gets 5 Years’ Probation for Theft of Equipment Containing ePHI

A former IT worker at Chilton Medical Center in New Jersey has been sentenced to 5 years’ probation for the theft of IT equipment that contained the protected health information of some of its patients.

Sergiu Jitcu, of Saddle Brook, NJ, had previously been employed by Chilton Medical Center. On October 31, 2017, Chilton Medical Center learned that one of its hard drives had been sold on eBay. The purchaser discovered databases on the hard drive that appeared to include the protected health information (PHI) of some of its patients.

The subsequent investigation revealed the hard drive contained the PHI of 4,600 patients who had received medical services at Chilton Medical Center between May 1, 2008 and October 15, 2017. The types of information on the hard drive included names, addresses, dates of birth, allergy information, medical record numbers, and medications.

The theft was reported to the Morris County Prosecutor’s Office and was linked to Jitcu. The Morris County Prosecutor’s Office Specialized Crime Division obtained a search warrant for Jitcu’s home and vehicle and recovered computer equipment and additional items that had been stolen from Chilton Medical Center.

Jitcu was charged and plead guilty to one count of computer criminal activity and one count of theft of computer equipment. The offenses occurred between January 1, 2015 and November 8, 2017.

A non-custodial sentence of five years’ probation was given to Jitcu on the condition that ongoing restitution payments be made to Chilton Medical Center totaling $64,250.

The post Former Chilton Medical Center IT Worker Gets 5 Years’ Probation for Theft of Equipment Containing ePHI appeared first on HIPAA Journal.

Virginia Superior Court Partially Reverses Lower Court Decision in Employee Snooping Case

When healthcare employees access patient data without authorization it is a clear violation of the Health Insurance Portability and Accountability Act’s Privacy Rule, but is the employer liable for the privacy breach?

In 2016, Lindsey Parker, a patient of Carilion Healthcare Corp’s Carilion Clinic in Virginia, took legal action against the clinic and Carilion Healthcare Corp after it was discovered that two employees of the clinic had accessed her medical records and impermissibly disclosed a past diagnosis.

The privacy breach occurred in 2012 which parker was a patient of the Carillion Rocky Mount Obstetrics & Gynecology clinic. Parker was visiting the clinic about a matter unrelated to her previous diagnosis and while waiting for treatment, Parker spoke with an acquaintance in the waiting room – Trevor Flava.

Parker alleged that a Carillion employee, Christy Davis, saw the couple talking and accessed Parker’s medical record and saw her previous diagnosis. Davis is then alleged to have contacted her friend, Lindsey Young, who worked in another Carillion facility and disclosed the diagnosis and that Parker was conversing with Flava. Young then allegedly accessed Parker’s record, confirmed the diagnosis, and disclosed that diagnosis to Flava.

Parker and her legal team sued Carilion Healthcare Corp, the Carilion Clinic, and both Carillion employees over the impermissible disclosure of her health information. In Parker’s complaint it was alleged that Carillion was directly and vicariously liable for the breach – Directly for the failure to secure her medical records and vicariously liable under respondeat superior principles. Parker also claimed that the breach amounted to negligence and a violation of HIPAA Rules for failing to ensure the confidentiality of her medical record. Parker also claimed the HIPAA violation constituted also constituted a violation of Virginia law.

Carillion argued that the employees had acted outside the scope of their employment, which precluded the respondeat superior claim, and contested the legal viability of the HIPAA violation claim. The Virginia circuit court sustained the demurrers and Parker was granted 21 days to submit an amended complaint. That did not happen, although a notice of appeal was submitted within the legal time frame on December 2, 2016.

The lawsuit has now been partially resurrected by the Virginia Supreme Court. The decision on the claim of direct liability has not been reversed, but the circuit court’s decision on the respondeat superior claim of vicarious liability has.

“Because none of these factual contests can be addressed at the pleading stage of this case, we reverse the circuit court’s order sustaining Carilion’s demurrer,” wrote Justice D. Arthur Kelsey in his opinion. Further consideration is needed on the circumstances that led to the accessing of Parker’s medical records by the employees, the reason why that information was shared, and whether the employees were actively involved in a job-related service at the time of the violation.

The post Virginia Superior Court Partially Reverses Lower Court Decision in Employee Snooping Case appeared first on HIPAA Journal.

$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach

New Jersey Attorney General Gurbir S. Grewal has announced a $200,000 settlement has been agreed with Best Medical Transcription to resolve violations of the Health Insurance Portability and Accountability Act that were discovered during an investigation of a 2016 breach of 1,650 individuals’ protected health information.

Protected Health Information of 1,654 Patients Was Accessible Through Search Engines

Best Medical Transcription was a business associate of Virtua Medical Group, a network of medical and surgical practices in southern New Jersey. Best Medical Transcription was provided with dictated medical notes, letters, and reports which were transcribed for Virtua Medical Group physicians.

In January 2016, it was discovered that transcribed documents had been uploaded to File Transfer Protocol (FTP) website that was accessible over the Internet without the need for any authentication. The files had been indexed by Google and could be found using search terms including information contained in the files. Password-protection had been removed when software on the website was updated.

In total, 1,654 patients had their protected health information exposed. Affected patients were notified of the breach and Virtua Medical Group terminated its relationship with Best Medical Transcription. In 2017 Best Medical Transcription was dissolved.

The New Jersey attorney general and the New Jersey Division of Consumer Affairs investigated the breach, and Virtua Medical Group was held accountable for failing to protect patients’ data. Virtua Medical Group settled with New Jersey for $417,816 in April 2018 to resolve the HIPAA violations and agreed to improve its data protection protocol.

While covered entities can be held accountable for data breaches experienced by their business associates, vendors can also be fined directly for HIPAA violations. New Jersey also filed charges against ATA Consulting LLC, dba Best Medical Transcription, and the owner of the business, Tushar Mathur.

New Jersey alleged Best Medical Transcription had violated the HIPAA Privacy Rule, HIPAA Security Rule and HIPAA Breach Notification Rule. Specifically, it was alleged that Best Medical Transcription failed to conduct an accurate and thorough risk assessment of potential risks to the confidentiality, integrity, and availability of ePHI. There was also an alleged failure to implement appropriate safeguards to reduce risks and vulnerabilities to a reasonable and appropriate level and policies and procedures had not been implemented to prevent the improper alteration or destruction of ePHI. Best Medical Transcription also failed to notify Virtua Medical Group about the breach and the improper disclosure of ePHI was a violation of its business associate agreement with Virtua Medical Group.

Tushar Mathur agreed to pay New Jersey a civil monetary penalty of $191,492 to resolve the HIPAA violations and $8,508 to cover attorneys’ fees and costs. Mathur has also been barred from managing or owning a business in New Jersey.

“We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information,” said Attorney General Grewal. “Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable… Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”

HIPAA-Related Fines and Settlements with Attorneys General in 2018

While the number of HHS’ Office for Civil Rights HIPAA violation settlements and civil monetary penalties has fallen in 2018, state attorneys general have increased their enforcement actions to resolve HIPAA violations. The latest settlement brings the total number of HIPAA-related fines in 2018 to 10.

State Covered Entity Amount Individuals affected Settlement/CMP
New Jersey Best Transcription Medical $200,000 1,650 Settlement
Washington Aetna TBA 13,160 Settlement (Multi-state action)
Connecticut Aetna $99,959 13,160 Settlement (Multi-state action)
New Jersey Aetna $365,211.59 13,160 Settlement (Multi-state action)
District of Columbia Aetna $175,000 13,160 Settlement (Multi-state action)
Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Settlement
New York Arc of Erie County $200,000 3,751 Settlement
New Jersey Virtua Medical Group $417,816 1,654 Settlement
New York EmblemHealth $575,000 81,122 Settlement
New York Aetna $1,150,000 12,000 Settlement

The post $200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach appeared first on HIPAA Journal.

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark

OCR has announced that an Anthem HIPAA breach settlement has been reached to resolve potential HIPAA violations discovered during the investigation of its colossal 2015 data breach that saw the records of 78.8 million of its members stolen by cybercriminals.

Anthem has agreed to pay OCR $16 million and will undertake a robust corrective action plan to address the compliance issues discovered by OCR during the investigation.

The previous largest ever HIPAA breach settlement was $5.55 million, which was agreed with Advocate Health Care in 2016. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino.

Anthem Inc., an independent licensee of the Blue Cross and Blue Shield Association, is America’s second largest health insurer. In January 2015, Anthem discovered cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted cyberattack conducted with the sole purpose of silently stealing sensitive data.

The attackers first gained access to its IT systems on December 2, 2014, with access continuing until January 27, 2015. During that time the attackers stole the data of 78.8 million plan members, including names, addresses, dates of birth, medical identification numbers, employment information, email addresses, and Social Security numbers.

The attackers gained a foothold in its network through spear phishing emails sent to one of its subsidiaries. They were then able to move laterally through its network to gain access to plan members’ data.

Anthem reported the data breach to OCR on March 13, 2015; however, by that time OCR was already a month into a compliance review of Anthem Inc. OCR took prompt action after Anthem uploaded a breach notice to its website and media reports started to appear indicating the colossal scale of the breach.

The OCR investigation uncovered multiple potential violations of HIPAA Rules. Anthem chose to settle the HIPAA violation case with no admission of liability.

OCR’s alleged HIPAA violations were:

  • 45 C.F.R. § 164.308(u)(1)(ii)(A) – A failure to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI.
  • 45 C.F.R. § 164.308(a)(1)(ii)(D) – The failure to implement regularly review records of information system activity.
  • 45 C.F.R. § 164.308 (a)(6)(ii) – Failures relating to the requirement to identify and respond to detections of a security incident leading to a breach.
  • 45 C.F.R. § 164.312(a) – The failure to implement sufficient technical policies and procedures for electronic information systems that maintain ePHI and to only allow authorized persons/software programs to access that ePHI.
  • 45 C.F.R. § 164.502(a) – The failure to prevent the unauthorized accessing of the ePHI of 78.8 million individuals that was maintained in its data warehouse.

“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” said Roger Severino. “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

In addition to the OCR HIPAA settlement, Anthem has also paid damages to victims of the breach. Anthem chose to settle a class action lawsuit filed on behalf of 19.1 million customers whose sensitive information was stolen. Anthem agreed to settle the lawsuit of $115 million.

2018 OCR HIPAA Settlements and Civil Monetary Penalties

Given the size of the Anthem HIPAA settlement it is no surprise that 2018 has seen OCR smash its previous record for financial penalties for HIPAA violations. The latest settlement takes OCR HIPAA penalties past the $100 million mark.

There have not been as many HIPAA penalties in 2018 than 2016(13), although this year has seen $1.4 million more raised in penalties than the previous record year and there are still 10 weeks left of 2018. The total is likely to rise further still.

OCR Financial Penalties for HIPAA Violations (2008-2018)

Year Settlements and CMPs Total Fines
2018 1 $24,947,000
2017 1 $19,393,000
2016 2 $23,505,300
2015 3 $6,193,400
2014 5 $7,940,220
2013 5 $3,740,780
2012 6 $4,850,000
2011 6 $6,165,500
2010 13 $1,035,000
2009 10 $2,250,000
2008 7 $100,000
Total 59 $100,120,200

 

HIPAA Fines and CMPs

Largest Ever Penalties for HIPAA Violations

Year Covered Entity Amount Settlement/CMP
2018 Anthem Inc $16,000,000 Settlement
2016 Advocate Health Care Network $5,550,000 Settlement
2017 Memorial Healthcare System $5,500,000 Settlement
2014 New York and Presbyterian Hospital and Columbia University $4,800,000 Settlement
2018 University of Texas MD Anderson Cancer Center $4,34,8000 Civil Monetary Penalty
2011 Cignet Health of Prince George’s County $4,300,000 Civil Monetary Penalty
2016 Feinstein Institute for Medical Research $3,900,000 Settlement
2018 Fresenius Medical Care North America $3,500,000 Settlement
2015 Triple S Management Corporation $3,500,000 Settlement
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty

The post $16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark appeared first on HIPAA Journal.