HIPAA Violations

At a time when patient data has been increasingly digitized, safeguarding PHI and Medical Data has never been more critical. Unfortunately, breaches can occur, jeopardizing patient trust and exposing healthcare providers to legal consequences. Join us as we explore some examples of HIPAA Violations.

1. Yakima Valley Memorial Hospital Settlement (2022)

In April 2022, Yakima Valley Memorial Hospital in Washington state agreed to a settlement with the Office for Civil Rights (OCR) over a potential violation of the HIPAA Privacy Rule. The case began when a patient claimed that the hospital did not grant her timely access to her medical records. The delay exceeded the 30-day period stipulated by HIPAA regulations for fulfilling such requests.

HIPAA Violations:

• Failure to Provide Timely Access: Yakima Valley Memorial Hospital did not provide the requested medical records within the mandated 30-day period, resulting in a violation of the HIPAA Right of Access provision.

• Right of Access Initiative: This case was part of the OCR’s Right of Access Initiative aimed at enforcing patients’ rights to promptly access their health information.

Consequences for Yakima Valley Memorial Hospital: The hospital agreed to pay an $85,000 settlement and implement a corrective action plan. This plan included revising policies and procedures, training staff on HIPAA compliance, and submitting regular reports to the OCR on their compliance efforts.

2. L.A. Care Health Plan Settlement (2020)

In February 2020, L.A. Care Health Plan, reached a settlement with the OCR concerning potential breaches of the HIPAA Privacy and Security Rules. They were the the largest publicly operated health plan in the U.S. This agreement stemmed from two distinct incidents involving the unauthorized disclosure of protected health information (PHI) due to ongoing noncompliance with HIPAA standards. The breaches impacted more than 2,000 individuals and included unauthorized releases of names, addresses, birth dates, and details of medical services.

HIPAA Violations:

• Inadequate Risk Analysis: Under HIPAA, covered entities are required to perform a thorough risk analysis to identify and evaluate potential threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI). L.A. Care failed to conduct this risk analysis.

• Insufficient Risk Management: The organization did not implement adequate security measures to reduce identified risks and vulnerabilities to a reasonable and appropriate level.

• Lack of Audit Controls: L.A. Care lacked appropriate procedures for regularly reviewing information system activity records like audit logs and access reports. This deficiency hindered their ability to identify unauthorized access or disclosure of PHI.

Consequences for L.A. Care Health Plan: L.A. Care Health Plan agreed to pay a $1.3 million settlement and undertake a corrective action plan. The plan required them to conduct a thorough risk analysis, implement risk management strategies, enhance their audit controls, and provide HIPAA training to their workforce.

3. Excellus Health Plan Data Breach Settlement (2021)

In January 2021, Excellus Health Plan, a New York-based health insurer, faced penalties since the PHI of 9.3 million individuals was exposed due to potential violations of the HIPAA Security and Privacy Rules. The breach occurred between December 2013 and May 2015 but was discovered in 2015. Compromised data included names, addresses, birth dates, Social Security numbers, financial account information, and medical information.

HIPAA Violations:

• Failure to Conduct Risk Analysis: Excellus did not perform an enterprise-wide risk analysis to identify the possibility of vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by HIPAA.

• Inadequate Safeguards: The company failed to implement sufficient measures to mitigate risks and vulnerabilities to a reasonable and appropriate level.

Consequences for Excellus Health Plan Data Breach: Excellus agreed to pay a $5.1 million settlement to the Office for Civil Rights (OCR) and adopted a corrective action plan to address the deficiencies in its HIPAA compliance program.

4. Peach State Health Management, LLC (dba AEON Clinical Laboratories) Settlement (2021)

In September 2021, Peach State Health Management, doing business as AEON Clinical Laboratories, settled with the OCR for potential violations of the HIPAA Security and Privacy Rules. The settlement was related to a data breach reported in 2017, which affected approximately 16,000 individuals. Exposed information included names, dates of birth, social security numbers, and medical test results.

HIPAA Violations:

• Failure to Implement Security Measures: The laboratory did not implement appropriate security measures to reduce risks and vulnerabilities to ePHI, violating HIPAA requirements.

• Lack of Business Associate Agreements: Peach State failed to obtain satisfactory assurances through business associate agreements with its vendors, as mandated by HIPAA.

Consequences for AEON Clinical Laboratories: The company agreed to pay $25,000 and to adopt a corrective action plan to address its noncompliance issues.

5. Ardent Health Services Settlement (2021)

In April 2021, Ardent Health Services and its subsidiaries agreed to a settlement with the OCR following a data breach that exposed the ePHI of over 1 million individuals. The breach was the result of a phishing email that allowed unauthorized access to Ardent’s systems, compromising patient names, dates of birth, contact information, and medical details.

HIPAA Violations:

• Insufficient Risk Management: Ardent failed to implement adequate risk management measures to address potential vulnerabilities to ePHI, which is a requirement under HIPAA.

• Inadequate Audit Controls: The organization lacked sufficient audit controls to monitor and log access to ePHI, hindering its ability to detect unauthorized access.

Consequences for Ardent Health Services: Ardent agreed to a settlement of $3 million with the OCR and implement a corrective action plan aimed at strengthening its HIPAA compliance and improving security measures.

6. Anthem Inc. Data Breach Settlement (2015)

In 2015, Anthem Inc. experienced a massive cyberattack which exposed the electronic protected health information (ePHI) of nearly 79 million individuals. They were one of the largest health insurance companies in the United States at the time. The leaked data included names, birth dates, addresses, Social Security numbers, and employment information.

HIPAA Violations:

• Failure to Implement Safeguards: Anthem did not adequately secure its I.T. systems against cyberattacks. The Office for Civil Rights (OCR) found that the company failed to conduct an enterprise-wide risk analysis and did not implement appropriate access controls to prevent unauthorized access to ePHI.

• Impact: This was one of the largest healthcare data breaches in history. The breach highlighted the vulnerabilities in healthcare cybersecurity practices.

Consequences for Anthem Inc. Data Breach: Anthem agreed to pay a record $16 million settlement to the OCR and took corrective actions to improve its security measures. The settlement emphasized the importance of robust cybersecurity protocols to protect patient information.

7. Cignet Health’s Refusal to Provide Records (2011)

Cignet Health, a Maryland-based healthcare provider, was fined for failing to share the medical records of 41 patients upon request, a right guaranteed to patients under HIPAA’s Privacy Rule.

HIPAA Violations:

• Violation of Patient Rights: Under HIPAA, patients have the right to request and get access to their medical records within 30 days. Cignet failed to comply with these requests without providing a valid reason.

• Failure to Cooperate with Investigation: Beyond denying access, Cignet did not cooperate with the OCR’s investigation, which is a requirement under HIPAA regulations.

Consequences for Cignet Health: Cignet was fined a total of $4.3 million—the first civil money penalty issued by the OCR for HIPAA violations. The fine reflected both the original violation and the company’s willful neglect in failing to cooperate.

8. New York-Presbyterian Hospital and Columbia University Breach (2014)

In 2014, a data breach at New York-Presbyterian Hospital (NYP) and Columbia University (C.U.) exposed the ePHI of 6,800 patients. The breach occurred when a C.U. physician attempted to deactivate a personal computer server on the network, inadvertently making patient records accessible on the Internet.

HIPAA Violations:

• Insufficient Technical Safeguards: The organizations lacked proper technical policies and procedures to prevent unauthorized access. There was a failure to ensure the server was secured and that ePHI was protected when changes were made to the network.

• Inadequate Risk Analysis: Both NYP and C.U. did not conduct a thorough risk analysis as required by HIPAA to identify potential vulnerabilities in their systems.

Consequences for NewYork-Presbyterian Hospital and Columbia University: The two institutions agreed to a combined settlement of $4.8 million ($3.3 million for NYP and $1.5 million for C.U.) and were mandated to adopt corrective action plans. The case underscored the need for entities to manage risks associated with networked systems and employee actions diligently.

9. HIPAA Mobile Security Violation

A prominent case highlighting mobile security risks occurred with the University of Texas MD Anderson Cancer Center, which faced a $4.3 million fine after losing a laptop and two unencrypted thumb drives containing ePHI for over 34,000 individuals. The devices were neither encrypted nor password-protected, violating HIPAA’s Security Rule. The case underscores the importance of encryption and strong device security measures.