Delaware Rehab Facilities Settle Social Media and Breach Notification HIPAA Violations – The HIPAA Journal
Delaware Rehab Facilities Settle Social Media and Breach Notification HIPAA Violations
A $182,000 settlement has been agreed between the HHS’ Office for Civil Rights and five Delaware healthcare providers to resolve alleged violations of the HIPAA Privacy and HIPAA Breach Notification Rules. The settlement concerns the posting of patients’ protected health information (PHI) on social media without first obtaining HIPAA-compliant authorizations to use PHI for a purpose not expressly permitted by the HIPAA Privacy Rule, then failing to notify individuals about the impermissible use and disclosure.
Cadia Healthcare is a provider of rehabilitation, skilled nursing, and long-term care services at five facilities in Delaware. Those facilities are Cadia Rehabilitation Broadmeadow in Middletown, Cadia Rehabilitation Renaissance in Millsboro, Cadia Rehabilitation Capital in Dover, and Cadia Rehabilitation Pike Creek and Cadia Rehabilitation Silverside in Wilmington, collectively referred to as the Cadia Healthcare Facilities (Cadia).
Each of the Cadia facilities is a HIPAA-covered entity that is required to comply with the HIPAA Rules. OCR launched an investigation after receiving a complaint on September 20, 2021, about an alleged impermissible disclosure of PHI online. The complainant alleged that Cadia had used their photograph, name, and information about their condition, treatment, and recovery in an online post but had not obtained authorization to use the information for that purpose.
OCR’s investigation substantiated the allegation and determined that a Cadia employee had posted the patient’s PHI to Cadia’s social media page as part of a success story; however, a signed authorization form had not been obtained prior to that use and disclosure. Under HIPAA, PHI cannot be posted online on websites or social media pages unless a HIPAA-compliant authorization has been obtained from an individual in advance.
OCR notified Cadia about the allegations and the findings of the investigation, and Cadia removed the post and notified the patient that the success story had been removed. OCR also identified other patients whose treatment had been included in a series of success stories. As of February 22, 2022, Cadia had created and posted success stories containing the PHI of 150 patients without obtaining valid HIPAA authorizations. According to OCR, Cadia shut down the success story program in March 2022, but failed to issue notifications to the affected individuals, as required by the HIPAA Breach Notification Rule.
“The internet and social media are important business development tools. But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure,” said OCR Director Paula M. Stannard. “Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”
In April 2025, OCR entered into a settlement agreement with Cadia to resolve the alleged violations of the HIPAA Rules. The alleged violations related to two Privacy Rule and one Breach Notification Rule provisions:
- 45 C.F.R. § 164.530(c) – The failure to implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and reasonably safeguard PHI from any intentional or unintentional use or disclosure.
- 45 C.F.R. § 164.502(a) – The impermissible use or disclosure of PHI
- 45 C.F.R. § 164.404(a) – The failure to issue timely breach notifications
In addition to paying the financial penalty, the settlement agreement includes a corrective action plan (CAP). Cadia will be monitored for compliance with the CAP for 2 years. The corrective action plan requires Cadia to review and revise, as necessary, its policies and procedures to ensure compliance with the HIPAA Rules. Those policies and procedures must be distributed to the workforce, and HIPAA training must be provided to workforce members. Policies and procedures must be reviewed at least annually and updated as necessary to ensure continued HIPAA compliance. Cadia is also required to issue breach notifications concerning the impermissible disclosures of PHI under the success story program.
Notifications have already been issued, and the Cadia websites currently display a notice about the privacy violations. Cadia confirmed that it had policies and procedures in place requiring patients to sign a written consent form prior to using their information in its success story program. “On February 22, 2022, we learned that one or more of these success stories may have been posted without a valid consent form on file for the patient highlighted in the story. We promptly launched an investigation, removed all success stories from our social media pages, and on March 2, 2022, eliminated the success story program in its entirety,” explained Cadia in its substitute breach notice. “Because we deleted all success stories in 2022, we were unable to definitively determine all individuals who participated in the success story program. Accordingly, out of an abundance of caution, we are notifying individuals who may have participated and for whom we could not locate a valid consent form.”
This is the 20th HIPAA penalty to be imposed by OCR to resolve violations of the HIPAA Rules so far in 2025, making it one of the most active years of HIPAA enforcement. So far this year, OCR has collected more than $8.2 million in civil monetary penalties and settlements.
The post Delaware Rehab Facilities Settle Social Media and Breach Notification HIPAA Violations appeared first on The HIPAA Journal.
A former employee alleged Verily violated HIPAA. What healthcare marketers should know about the claims – Medical Marketing and Media
A former employee alleged Verily violated HIPAA. What healthcare marketers should know about the claims Medical Marketing and Media
HHS’ Office for Civil Rights Settles HIPAA Investigation of Cadia Healthcare Facilities for Disclosure of Patients’ Protected Health Information – HHS.gov
Hospitals Settle EMTALA Violations After Failing to Screen and Treat Patients With Emergency Mental Health Conditions
The Department of Health and Human Services Office for Inspector General (HHS-OIG) has announced two settlements with healthcare providers to resolve alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA) due to the failure to provide adequate medical screening examinations and stabilizing treatment to patients with emergency mental health complaints.
EMTALA requires Medicare-participating hospitals to provide a medical screening examination to anyone seeking treatment for a potential emergency medical condition, regardless of their ability to pay. Stabilizing treatment must be provided to the patient, or the patient may be transferred to another facility if the hospital is unable to provide stabilizing treatment within its capabilities.
North Carolina Baptist Hospital (NCBH) was investigated by HHS-OIG and was found to have violated EMTALA on two occasions in August 2021. A patient presented at the Emergency Department requesting a psychiatric evaluation, a psychotropic medication refill, and complained of back pain at an 8/10 level. The patient was triaged and found to have abnormal vital signs. Around four hours later, NCHB’s records showed that the patient left the facility without being seen. Two days later, the patient returned to the ED two days after jumping off a bridge and being hit by a truck, and later died from the injuries.
The same month, a patient with a history of schizoaffective disorder, bipolar disorder, and depression presented to the hospital with psychological issues, having arrived by ambulance due to a psychiatric disturbance. In the ED, the patient experienced auditory hallucinations and made bizarre, illogical statements. The patient was given intravenous fluids and was discharged home the following day, without having been given a detailed psychiatric evaluation. At the time of discharge, the patient refused to leave and claimed she could not walk or see. After speaking with a doctor, she was given a bus token and was escorted off the premises by a security guard. After her mother called the hospital to inquire about her whereabouts, the patient was found in a hospital robe at a bus stop. Around one week later, the patient was involuntarily committed to a psychiatric facility. NCBH settled the alleged EMTALA violations and paid a $200,000 financial penalty.
Swedish American Hospital (SAH) in Rockford, Illinois, was investigated over an alleged EMTALA violation in 2024 when a patient was not provided with appropriate medical screening after presenting at the hospital’s Emergency Department, complaining of suicidal ideation. The previous day, SAH referred the patient to a mental health professional at an outpatient facility, who signed a petition for involuntary admission. The patient presented at the hospital with the petition; however, the patient did not receive an appropriate medical screening examination, was not provided with stabilizing treatment, and was discharged two hours after presenting at the hospital. SAH settled the alleged violation with HHS-OIG and paid a $100,000 financial penalty.
The post Hospitals Settle EMTALA Violations After Failing to Screen and Treat Patients With Emergency Mental Health Conditions appeared first on The HIPAA Journal.
Hospital Sisters Health System Settles Class Action Data Breach Lawsuit for $7.6 Million
A class action lawsuit against Hospital Sisters Health System has been settled for $7.6 million. The lawsuit relates to an August 2023 cyberattack that affected approximately 883,000 individuals. The cyberattack caused an outage of computer systems, phone lines, and websites, and its MyChart and MyPrevea applications were taken offline for several days, leaving the health system unable to take payments. The investigation confirmed that the threat actor accessed systems containing patient and employee information between August 16, 2023, and August 27, 2023, and potentially exfiltrated data. Notification letters started to be mailed to the affected individuals on October 26, 2023.
Several class action lawsuits were filed against Hospital Sisters Health System in response to the data breach. Since they had overlapping claims and were based on the same facts, the lawsuits were consolidated into a single action – In re Hospital Sisters Health System Data Breach Litigation, in the Circuit Court of the Seventh Judicial Circuit of the State of Illinois, Sangamon County, Chancery Division.
The lawsuit alleged that Hospital Sisters Health System was negligent because it failed to implement reasonable and appropriate security measures to protect its network and patient and employee data from unauthorized access, and had those measures been implemented, the data breach could have been prevented. Hospital Sisters Health System denies all claims asserted in the lawsuit and denies all allegations of wrongdoing and liability. Class counsel and the plaintiffs believe that the legal claims asserted in the lawsuit have merit.
After assessing the strengths and weaknesses of the case, the plaintiffs and defendants moved to settle the litigation to avoid the burden, expense, risk, and uncertainty of continued litigation. Class counsel and the plaintiffs believe that the settlement is fair and provides substantial benefits for the settlement class. Under the terms of the settlement, all class members are entitled to enroll in financial data monitoring services for two years. The CyEx Financial Shield package includes fraud and identity monitoring, including monitoring for unauthorized financial transactions and compromised bank and financial account numbers. Class members will also benefit from a $1 million financial fraud insurance policy.
Class members are also eligible to claim one of two cash benefits. They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach, up to a maximum of $5,000 per class member. Alternatively, they can submit a claim for a pro rata cash payment, which will be paid after attorneys’ fees, expenses, settlement administration costs, class representative awards, financial data monitoring costs, and claims have been paid.
The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 4, 2025. Class members wishing to object to the settlement or exclude themselves must do so by November 14, 2025, and the deadline for submitting a claim is November 14, 2025.
The post Hospital Sisters Health System Settles Class Action Data Breach Lawsuit for $7.6 Million appeared first on The HIPAA Journal.
Cybersecurity Awareness Month 2025: Building a Cyber Strong America – The HIPAA Journal
Cybersecurity Awareness Month 2025: Building a Cyber Strong America The HIPAA Journal
Cybersecurity Awareness Month 2025: Building a Cyber Strong America
October is Cybersecurity Awareness Month – a global initiative that aims to educate the public and businesses about the importance of cybersecurity and protecting against cyber threats to systems and data. The initiative is led by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and this year’s theme is “Building a Cyber Strong America. The main focus this year is improving cybersecurity at the government entities and small and medium-sized businesses that operate and maintain the nation’s critical infrastructure, as well as the myriad of vendors and suppliers that support or are connected to critical infrastructure.
CISA is issuing a call to action to all critical infrastructure entities and vendors that support those entities to take steps to improve cybersecurity, starting with four essential steps to improve baseline security:
- Avoid phishing
- Use strong passwords
- Require multifactor authentication
- Update business software
Phishing is the initial access vector in many cyberattacks, providing threat actors with the credentials they need to access internal systems and data and conduct a comprehensive attack on the organization. According to the cybersecurity firm SentinelOne, phishing attacks have increased by 1,265%, with that increase driven by the growth of GenAI. These attacks target employees and trick them into disclosing credentials, opening malicious email attachments, or clicking links that direct them to malicious sites where malware is downloaded. While technical defenses such as spam filters can reduce the number of threats that reach employees, it is vital to train the workforce on how to recognize and report suspicious emails.
A system is only as secure as the password used to protect it, so it is essential that passwords are used that are difficult to guess and are resistant to automated brute force attempts. According to Hive Systems, even a password consisting of 10 random numbers could be cracked in less than a day, compared to 803,000 years for a 10-character password consisting of numbers, upper and lower case letters, and special characters. Strong passwords should be mandatory for all users.
Even strong passwords are not sufficient by themselves, as while they may be difficult to brute force, they can be obtained by threat actors through phishing, for example. Multifactor authentication adds an additional layer of protection, ensuring that a password alone is not sufficient to access accounts, systems, and devices. Implementing multifactor authentication will significantly improve security, and where possible, phishing-resistant multifactor authentication should be implemented.
Threat actors target vulnerabilities in software and operating systems and exploit them to gain access to the networks of critical infrastructure entities and their vendors. All business software and operating systems should be kept up to date, with patches and security updates applied promptly to fix vulnerabilities before they can be exploited. After completing these four essential steps to improve baseline security, the next step is to level up defenses through additional actions, such as implementing logging on all systems. Logs should be monitored for anomalous activity, including hacking incidents and insider threats.
Ransomware is one of the biggest threats, especially in healthcare. These attacks lock victims out of systems and prevent access to critical data, causing massive disruption to business operations. It is therefore essential to ensure that all critical information is backed up securely, as this will allow a fast recovery in the event of an attack. In addition to making multiple backups and securing one copy off-site, backups should be checked to ensure that file recovery is possible. A backup plan should also be developed to reach the recovery point in the shortest possible time frame.
Data encryption is another key protection to safeguard data at rest and in transit. If a threat actor gains access to files, the data cannot be viewed. Threat information sharing is also a key part of building a strong cyber America. By informing CISA about cyberattacks and sharing pertinent information, CISA can take steps to warn others and help them avoid similar threats.
Healthcare organizations should also consider implementing the cybersecurity performance goals (CPGs) developed by the Department of Health and Human Services in collaboration with CISA. The CPGs set a floor of safeguards that will help prevent successful cyberattacks, and the enhanced CPGs help healthcare organizations mature their cybersecurity capabilities. The 2025 HIPAA Journal Annual Survey indicated a lack of awareness of these important CPGs.
“Critical infrastructure – whether in the hands of state and local entities, private businesses, or supply chain partners – is the backbone of our daily lives,” said Acting CISA Director Madhu Gottumukkala. “Whenever it’s disrupted, the effects ripple through communities across America. That’s why this year CISA is prioritizing the security and resilience of small and medium businesses, and state, local, tribal, and territorial government (SLTT) that facilitate the systems and services [that] sustain us every day. This includes things like clean water, secure transportation, quality healthcare, secure financial transactions, rapid communications, and more. Together, we must make resilience routine so America stays safe, strong, and secure.”
The post Cybersecurity Awareness Month 2025: Building a Cyber Strong America appeared first on The HIPAA Journal.