HIPAA Violation Monthly Update

A HIPAA violation is no joke. Some violators face jail time. More typically, though, the Office of Civil Rights (OCR) enforces HIPAA by fining organizations that violate the law. While HIPAA is a federal law, violating organizations often find themselves breaking state laws as well. That's how the health insurance company Anthem found itself paying $48.2 million in fines and settlements after a data breach. While OCR imposed a $16 million fine, that sum was combined with penalties imposed by over 43 states. Unfortunately, violations happen often. So, it's useful to keep track of newsworthy events with a HIPAA violation monthly update. This lets interested parties keep tabs on critical information. OCR organizes all breaches it's currently investigating by date. OCR maintains the public list of breaches to comply with the HITECH Act. In this piece, you'll discover noteworthy highlights from the Data Breach Portal. Read on to learn about eight notable cases that began, moved forward, or settled in the month of November.

Review: What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996. While the law includes several rules, HIPPA violations typically concern risks or harms to a patient's privacy. Or, violators prevent patients from rightful access to their own PHI. For a full list of HIPAA rules, see HHS' HIPAA Guidance Materials. They describe best practices to comply with HIPAA's:

• Security Rule
• Privacy Rule
• Breach Notification Rule
• Permitted disclosures

All organizations that work with patients' private health information (PHI) must comply with HIPAA. This includes medical practices, insurance companies, clinical trial sites, and third parties. Violations can be intentional or negligent. OCR can hold an organization liable for a HIPAA violation due to cybercrime. Other violations happen when organizations expose patient data due to poor practices. Notably, HIPAA only regulates organizations that work with patient data. These organizations are responsible for protecting PHI and keeping it confidential. Other organizations (like media groups) have no HIPAA-compliance obligation.

November HIPAA Violation News: Breach Notifications, Investigations, and Settlements

OCR listed thirty-one HIPAA-violation cases currently under investigation in November 2021. This month also saw some notable settlements and case closures. Each November HIPAA violation put patients at risk. But, not all risks are equal. So, the eight most newsworthy HIPAA violations for November impact a high number of patients. Or, they’re notably egregious.

1. OCR Fines NJ-Based Printing Companies $130,000

A settlement marks the final HIPAA violations update on a case that has dragged on for over a year. On November 16th, two printing companies responsible for patient health documents agreed to a $130,000 fine. Command Marketing Innovations and Strategic Content Imaging contracted with a managed healthcare organization. The printing companies were contractors legally handling PHI. They were required to comply with HIPAA's privacy standard for third parties. OCR found both companies out of compliance. Their negligence exposed 55,500 patients' PHI. Each company made a printing error on mailed materials sent to patients. The materials were individual statements of benefits. But, due to the error, they printed each patient's information on a different patient's mailer. This led mail recipients to see private information about unrelated patients. Many individuals received mail with other patients':

• Names
• Claims numbers
• Medical treatments
• Dates of service

Both companies were cited for failing to ensure PHI remained confidential, failing to prevent unauthorized disclosure, and failing to review security measures. The state of New Jersey also found both groups violated the New Jersey Consumer Fraud Act. Both companies agreed to a Consent Order. The order requires both printers to implement a comprehensive security program. If they comply, the State Attorney general will reduce their settlement fine by $65,000.

2. Lawsuit Against Humana Moves Forward, Alleged Violation of HIPAA's Breach Notification Rule 

Organizations must notify impacted patients of a security breach within sixty days. This lets patients take protective action, like identity theft prevention. Cotiviti, a Humana vendor, subcontracted with Visionary Medical Records (VMR). A VMR employee violated HIPAA when they wrongfully disclosed patient data to unauthorized individuals. From October-December 2020, the employee published PHI to their personal Google Drive account. This account was publically accessible and not secure. The VMR employee used PHI for training, without VMR or patient approval. VMR notified Cotiviti and Humana of the breach on December 22, 2020. But, Humana allegedly did not notify patients within sixty days. Instead, Humana did not notify patients until May 2021. Over 65,000 patients were affected by the breach. They filed a class-action suit against Humana and Coviti in Kentucky, for violating the state's patient privacy rights laws. The lawsuit moved forward this month. OCR opened an investigation of the incident on November 9th, 2021. Prior Alleged Humana Database Breach  This lawsuit comes on the heels of another Humana data breach. On July 16th, 2021, FBI investigators discovered an SQL database of Humana patients' PHI on WeTransfer and a popular forum frequented by criminal hackers. The SQL database included comprehensive data on 6,487 patients. Data included patient IDs, treatment data, mailing addresses, password hashes, and medical photos. Humana argues that this data was not stolen from its systems. Instead, the insurer alleges "an unaffiliated third-party application" created the database by scamming Medicare Advantage patients.

3. Concentra Sends Medical Records to Wrong Address, Exposing PHI

Concentra is a Texas-based national healthcare company. On November 1st, the company accidentally mailed boxes of confidential materials to Blake Drumm. Blake Drumm lives in Gastonia, North Carolina. He has no affiliation with Concentra, nor any healthcare group. In interviews with local news reporters, Drumm says he was "stunned" when he discovered the PHI in the box. Drumm opened the box because he believed it was a delivery of items he'd ordered. Instead, it included patients' private information, including Social Security Numbers and medical records. Concentra intended to send the box to the University of Pittsburgh Medical Center. But, they'd inadvertently addressed the package to Drumm's home. Drumm called the patients to warn them to protect themselves from identity theft. He also contacted Concerta. OCR began investigating the incident this month. OCR has previously used Concentra as a case study to demonstrate the risks of poor data encryption. OCR fined Concentra $1,725,000 in 2014 over a data breach that year.

4. True Health New Mexico Exposes 62,000 Patients' Data

In late November, True Health New Mexico notified OCR of a cyberattack on their system. Cybercriminals attacked the New Mexico-based insurance provider the previous month. According to True Health's report, hackers may have accessed over 62,000 patients' PHI. Currently, no patients have reported unusual activity or victimization by identity thieves. True Health New Mexico offered all affected patients two years of complimentary credit monitoring. OCR launched its investigation on November 17th.

5. University Hospital Newark Insider Steals 19,000 Patients' PHI

Two recent HIPAA violations stem from a single incident. OCR began investigating a breach at University Hospital, Newark, that exposed 10,067 patients' data on November 5th. The exposure turned out to be the continued effects of a crime committed from January 2016-December 2017. In October 2021, University Hospital Newark discovered an employee had looked at patient data without authorization, for over two years. The hospital suspected the employee of attempted identity theft. They fired the employee and contacted law enforcement. The hospital also notified patients whose data was viewed. At the time, Univerity Hospital, Newark, identified 9,329 patients as at-risk to identity theft. Later, in November, the hospital discovered the ex-employee had targeted—and possibly leaked—over 10,000 additional patients' data. University Hospital Newark updated OCR with the latest information. The hospital system offered all impacted patients one year of identity theft protection.

6. Urology Center of Colorado Posts Data Breach Notice: 137,820 Patients At Risk

OCR began investigating the Urology Center of Colorado on November 5th, 2021. The Urology Center of Colorado (TUCC) notified patients of a possible data breach earlier this month. TUCC discovered a cybercriminal may have hacked into their database on September 8th and 9th 2021. TUCC reviewed the database and instigated other security assessments immediately. The Center completed its assessment on October 30th, 2021. It notified potentially affected patients at that time. TUCC also notified OCR The center posted a helpline for affected patients to call. So, they may get more information on the breach and protective measures.

7. Southern Ohio Medical Center Continues EHR Downtime Due to Cyberattack

Cybercriminals attacked Southern Ohio Medical Center (SOMC) on November 11th. The attackers accessed the center's servers, which stored PHI. This interrupted medical staff's access to electronic health records (EHRs). So, on the day of the attack, SOMC had to re-route ambulances to other medical centers. Patients scheduled for non-emergency surgeries and outpatient procedures had to reschedule for a later date. By the evening of November 11th, SOMC had regained access and function of EHRs. Now, the center is working with the FBI to determine who launched the cyberattack. They're also trying to discern the identity theft risk to patients.

8. OCR Investigates UNC Hospitals, Patients Risk Identity Theft

On September 20th, 2021, UNC Hospitals discovered an employee was stealing patients' information. The employee worked in the hospital system's financial processing department. UNC Hospitals fired the employee. This November, it sent 719 patients direct notifications that were at risk for identity theft. The hospital system offered all affected patients one year of free credit monitoring. The police department opened a criminal investigation. Police requested all affected patients call a hotline to describe any identity theft they experiences. OCR opened the investigation over the potential HIPAA violation on November 5th.

Prevent HIPAA Violations With HIPAA Exams

The last thing your organization needs is a fine over a HIPAA violation. Keep up to date with best practices. HIPAA Exams offers seminars and tools to help every healthcare group stay compliant.