The Office for Civil Rights (OCR), a division of the U.S. Department of Health and Human Services (HHS), has announced a $3 million settlement with Solara Medical Supplies, LLC, a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). The unauthorized disclosures stemmed from a cyberattack that resulted in violations of the HIPAA security and breach notification rules.
OCR began its investigation into the incident after Solara reported a phishing attack that led to a third party gaining access to eight employees' email accounts. The unauthorized email access resulted in the disclosure of the electronic protected health information (ePHI) of over 100,000 individuals, including personal identifying information such as driver's license numbers and Social Security numbers. The disclosed information also contained credit card, billing, and claims information.
Solara then reported a second HIPAA violation when it sent notification letters concerning the breach to incorrect mailing address. This incident caused the disclosure of PHI in the form of demographic information for over 1,500 people.
Through its investigation, OCR concluded that Solara had failed to conduct a compliant risk analysis and failed to take security measures designed to reduce the risk of ePHI disclosure. The OCR further found that Solara failed to inform individuals, HHS, and the media of the security breach in a timely manner. Therefore, Solara agreed to a $3,000,000 settlement payment and a corrective action plan requiring the company to take the following steps:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI;
- Develop and implement a written risk management plan to mitigate risks and vulnerabilities identified in the risk analysis;
- Develop, maintain, and revise its written policies and procedures regarding privacy and security of PHI; and
- Provide training on its HIPAA policies and procedures to its workforce.The OCR press release highlights the increasing danger and frequency of cyberattacks.
OCR also recommends that HIPAA-covered entities take safety precautions and mitigation strategies, including:
- Reviewing vendor relationships to ensure business associate agreements are in place;
- Integrating risk analysis and risk management plans into business processes;
- Regularly reviewing information system activity;
- Utilizing multifactor authentication;
- Using encryption to guard against unauthorized access; and
- Providing training on a regular basis.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
