The page contains basic information on Enforcement Rule resolutions, penalties, and breaches (pursuant to 13402(e)(4) of the HITECH Act).
Breaches
As required by section 13402(e)(4) of the HITECT Act, all breaches affecting 500 individuals or more must be posted. That information can be found here. Note, this list only goes back to the the section’s effective date; thus the earliest entry is dated October 21, 2009. Of note, Civil Money Penalties (CMP’s) under HITECH (13410(d)) became effective February 18, 2009, which significantly increased the fine amounts and the annual maximum per violation.
Civil Money Penalties
The Enforcement Rule provides standards for the enforcement of and civil and criminal penalties for violations of the Privacy and Security Rules. It was established under HIPAA on February 16, 2006 and modified by HITECH on October 29, 2009 (interim final rule – enhanced amounts) and the Omnibus Final Rule on January 25, 2013 (updated to include Business Associates (BA’s)). The Office of Civil Rights (OCR) works in conjunction with the Department of Justice (DOJ) to prosecute criminal violations. There are four CMP’s as found in 45 CFR §160.404(b)(2).
- Unknowing: “a violation in which it is established that the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated each provision.” The CMP is $100-$50,000 per violation, not to exceed $1,500,000 for identical violations per calendar year.
- Reasonable cause: “a violation in which it is established that the violation was due to reasonable cause and not to willful neglect.” That is, if the covered entity or business associate had exercised reasonable diligence, then they would have known. However, it was not done out of willful neglect. The CMP is $1,000-$50,000 per violation, not to exceed $1,500,000 for identical violations per calendar year.
- Corrected willful neglect: “a violation in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred.” That is, it was caused by conscious intentional failure or reckless indifference to comply with the law, but corrected within the 30-day windows post discovery. The CMP is $10,000-$50,000 per violation, not to exceed $1,500,000 for identical violations per calendar year.
- Uncorrected willful neglect: “a violation in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred.” The CMP is $50,000 or more per violation, not to exceed $1,500,000 for identical violations per calendar year.
| Violation Category | Each Violation | Per Calendar Year Maximum Identical Violation Amount |
|---|---|---|
| Unknowing | $100-$50,000 | $1,500,000 |
| Reasonable cause | $1,000-$50,000 | $1,500,000 |
| Corrected willful neglect | $10,000-$50,000 | $1,500,000 |
| Uncorrected willful neglect | $50,000+ | $1,500,000 |
The best example of this can be found in the “Notice of Proposed Determination” for Cignet Health (from page 10 to the end), which is the only entity every fined (not to be confused with paying a “Resolution Amount” – see Section “Resolutions and Penalties” below) for HIPAA violations as of this post. Since it was a fine, it was itemized by OCR. Also, the incidents occurred pre- and post-HITECH, thus the break-down utilizes both HIPAA and HITECH expanded values.
Breaches Affecting 1 Million or More Individuals
While there are over a thousand recorded breaches meeting the definition of HITECH 13402(e)(4) since the first listed on October 21, 2009, I thought it would be interesting to tack those that affect 1 million or more individuals. These 19 events alone affected 141,990,454 individuals – assuming independent events, that is approximately 44% of the US Census Bureau’s May 2016 resident population plus armed forces overseas projection of 323,696,705.
| CE/BA | Submission Date | State | Type | Number Affected | Type of Breach | Locate of Breached Information |
|---|---|---|---|---|---|---|
| Anthem, Inc. Affiliated Covered Entity | 3/13/2015 | IN | Health Plan | 78,800,000 | Hacking/IT Incident | Network Server |
| Premera Blue Cross | 3/17/2015 | WA | Health Plan | 11,000,000 | Hacking/IT Incident | Network Server |
| Excellus Health Plan, Inc. | 9/9/2015 | NY | Health Plan | 10,000,000 | Hacking/IT Incident | Network Server |
| Science Applications International Corporation (SA | 11/4/2011 | VA | Business Associate | 4,900,000 | Loss | Other |
| Community Health Systems Professional Services Corporation | 8/20/2014 | TN | Business Associate | 4,500,000 | Theft | Network Server |
| University of California, Los Angeles Health | 7/17/2015 | CA | Healthcare Provider | 4,500,000 | Hacking/IT Incident | Network Server |
| Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group | 8/23/2013 | IL | Healthcare Provider | 4,029,530 | Theft | Desktop Computer |
| Medical Informatics Engineering | 7/23/2015 | IN | Business Associate | 3,900,000 | Hacking/IT Incident | Electronic Medical Record, Network Server |
| Banner Health | 8/3/2016 | AZ | Healthcare Provider | 3,620,000 | Hacking/IT Incident | Network Server, other |
| Newkirk Products, Inc. | 8/9/2016 | NY | Business Associate | 3,466,120 | Hacking/IT Incident | Network Server |
| 21st Century Oncology | 3/4/2016 | FL | Healthcare Provider | 2,213,597 | Hacking/IT Incident | Network Server |
| Xerox State Healthcare, LLC | 9/10/2014 | TX | Business Associate | 2,000,000 | Unauthorized Access/Disclosure | Desktop Computer, Email, Laptop, Network Server, Other, Other Portable Electronic Device |
| IBM | 4/14/2011 | NY | Business Associate | 1,900,000 | Unknown | Other |
| GRM Information Management Services | 2/11/2011 | NJ | Business Associate | 1,700,000 | Theft | Electronic Medical Record, Other |
| AvMed, Inc. | 6/3/2010 | FL | Health Plan | 1,220,000 | Theft | Laptop |
| CareFirst BlueCross BlueShield | 5/20/2015 | MD | Health Plan | 1,100,000 | Hacking/IT Incident | Network Server |
| Montana Department of Public Health and Human Services | 7/7/2014 | MT | Health Plan | 1,062,509 | Hacking/IT Incident | Network Server |
| The Nemours Foundation | 10/7/2011 | FL | Healthcare Provider | 1,055,489 | Loss | Other |
| BlueCross BlueShield of Tennessee, Inc. | 11/1/2010 | AL | Health Plan | 1,023,209 | Theft | Other |
Enforcement Data
Various aggregate data on enforcement can be found on HHS’s site here. Note, as of this post, the data has not been updated for over a year (only aggregates through 2013). Information includes a break-down by year and state, the number of complaints received per year, and the top five issues relating to corrective action.
Resolutions and Penalties
As of the date of this post (update), 47 organizations (New York and Presbyterian Hospital (NYP) twice) over 47 events (one shared event between NYP and Columbia University) have agreed to pay “Resolution Amounts” (a no liability admission amount to resolve violations of HIPAA Privacy and/or Security Rules) and 3 assessed fines (Cignet Health; Lincare, Inc.; and Children’s Medical Center of Dallas). These summaries are derived from HHS’s published “Enforcement Rule Resolution Agreements” – these, to the best of my knowledge, constitute the totality of events resulting in collections by OCR. The following table is a summary of each agreement – sorted ascending on Resolution Date. I will try to keep this table up-to-date as more are released.
| CE/BA | Violation Summary | Violation Date(s) | Affected | Resolution Date | Amount |
|---|---|---|---|---|---|
| Providence Health & Services | Lost/stolen backup tapes, optical disks, and laptops containing unencrypted ePHI | 9/29/2005 (stolen laptop) 12/7/2005 (stolen laptop) 12/30/2005 (stolen backup tapes and optical disks) 2/27/2006 (stolen laptop) 3/3/2006 (stolen laptop) | 386,000 | 7/16/2008 | $100,000 |
| CVS Pharmacy, Inc. | Improper disposal of PHI such as labels from prescription bottles in dumpsters with public access | 7/2006-5/2007 (improper disposal) 4/2003-11/2006 (insufficient training and documentation) | “millions” | 1/16/2009 | $2,250,000 |
| Rite Aid Corporation | Improper disposal of PHI such as labels from prescription bottles in dumpsters with public access | 7/2006-10/2006 (improper disposal) 4/2003-fall of 2008 (insufficient training and documentation) | “millions” | 7/27/2010 | $1,000,000 |
| Management Services Organization Washington, Inc. | Impermissible use and disclosure of ePHI (used the data to market and sell Medicare Advantage plans to patients through a separate entity owned by MSO, which earns commission) | 1/2007-11/2012 | “numerous” | 12/13/2010 | $35,000 |
| Cignet Health | Denied 41 patients access to their medical records; refused to cooperate with OCR (willful neglect); OCR cited “aggravating factors” as part of determining the amount; disclosed the PHI of approximately 4,500 patients to OCR not listed in the subpoena (were asked for 11 records and delivered 59 boxes of medical records).
First Civil Money Penalty. | 8/2008-10/2009 (denied access – $1,351,600 pre- and post-CMP update) 3/1/2009-4/7/2010 (refused to cooperate – $3M) | 41 | 2/4/2011 | $4,351,600 |
| General Hospital Corp. & Massachusetts General Physicians Organization | Loss of PHI for 192 patients with infectious diseases (left on subway) | 3/9/2009 | 192 | 2/14/2011 | $1,000,000 |
| University of California at Los Angeles Health System | ePHI for two celebrity patients and numerous other patients, were improperly viewed by hospital employees | 8/31/2005-11/16/2005 (numerous patients) 1/31/2008-2/2/2008 (one patient) 2005-2008 (insufficient training, documentation, and sanctions, and numerous patient ePHI violations) 2005-2009 (failure to implement security measures) | “numerous” | 7/6/2011 | $865,500 |
| Blue Cross Blue Shield of Tennessee | 57 unencrypted hard drives containing PHI for 1,023,209 individuals were stolen (amongst other, non-covered artifacts) from a biometric and keycard secured network data closet with a magnetic lock, in a key-locked room, with security service protection – this was in an old facility they had recently moved from, with plans to move the servers the next month (how???) | 10/2/2009 | 1,023,209 | 3/13/2012 | $1,500,000 |
| Phoenix Cardiac Surgery | Posting clinical and surgical appointments for their patients on an Internet-based calendar that was publically accessible, transmitting ePHI from one Internet-based email account to another | 4/14/2003-10/21/2009 (insufficient training and documentation) 7/3/2007-2/6/2009 (posted over 1,000 calendar entries) 9/1/2005-11/1/2009 (ePHI email-to-email transmission and storage) 9/1/2005-4/16/2009 (no security official) 9/1/2005-11/30/2009 (failed to conduct required assessments) 7/3/2007-12/3/2009 (no business associates agreement with Internet-based calendar entity) | ? | 4/13/2012 | $100,000 |
| Alaska DHHS | USB hard drive possibly containing ePHI was stolen; did not complete a risk analysis, implement sufficient risk management measures, complete security training, implement device and media controls, and address device and media encryption | ~10/12/2009 | ? | 6/26/2012 | $1,700,000 |
| Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. | Theft of unencrypted personal laptop containing ePHI of patients and research subjects; was not compliant with the security rule | ~4/21/2010 (theft) 4/20/2005-10/29/2009 (failed to conduct required assessments) 4/20/2005-3/8/2010, 4/20/2005-5/17/2010, 4/20/2005-6/15/2010 (various security rule violations) | ? | 9/17/2012 | $1,500,000 |
| Hospice of Northern Idaho | Theft of laptop containing ePHI | 2/16/2011 (theft) 4/20/2005-5/1/2011, 4/20/2005-1/17/2012 (various security rule violations) | 441 | 12/31/2012 | $50,000 |
| Idaho State University | System breach of unsecured ePHI | ~8/9/2011 (breach) 4/1/2007-6/6/2012, 4/1/2007-11/26/2012 (various security rule violations) | 17,500 | 5/21/2013 | $400,000 |
| Shasta Regional Medical Center | Two senior leaders discussed medical services provided to a patient, without consent, with the media; also sent detailed information about the patient’s medical history to between 785-900 staff members via email; no sanctions | 12/13/2011-12/20/2011 | 1 | 6/13/2013 | $275,000 |
| WellPoint | Failed to adequately verify online identities prior to granting access to ePHI | 10/23/2009-3/7/2010 (various security rule violations) | 612,402 | 7/11/2013 | $1,700,000 |
| Affinity Health Plan, Inc. | Failed to erase data on photocopier hard drives prior to returning them to the leasing agent | ~4/15/2010 | 344,579 | 8/14/2013 | $1,215,780 |
| Adult & Pediatric Dermatology, P.C. | Theft of thumb drive containing unencrypted ePHI | 9/14/2011 (theft) 4/20/2005-2/7/2012, 4/20/2005-10/1/2012 (various security rule violations) | ~2,200 | 12/20/2013 | $150,000 |
| Skagit County, WA | ePHI access on public web server | 9/14/2011-9/28/2011 (breach) 4/20/2005-6/1/2012, 4/20/2005-present (3/7/2014) (various security rule violations) | 1,581 | 3/7/2014 | $215,000 |
| Concentra Health Services | Stolen laptop with unsecured ePHI | 11/30/2011 (theft) 10/27/2008-6/22/2012 (various security rule violations) | ? | 4/22/2014 | $1,725,220 |
| QCA Health Plan, Inc. | Stolen laptop with unsecured ePHI | 10/8/2011 (theft) 4/20/2005-6/18/2012 (various security rule violations) | 148 | 4/22/2014 | $250,000 |
| New York and Presbyterian Hospital & Columbia University | A physician attempted to deactivate a personally-owned server on the network, causing ePHI to be publically available on Internet search engines; also, the server was never vetted for security nor access to the data | 9/27/2010 | 6,800 | 5/7/2014 | $3,300,000 (NYPH) $1,500,000 (Columbia) |
| Parkview Health System, Inc. | Left 71 boxes of PHI on a physician’s driveway to review to decide if Parkview wanted to purchase a retiring physician’s practice | 6/4/2009 | 5,000-8,000 | 6/23/2014 | $800,000 |
| Anchorage Community Mental Health Services (ACMHS) | Did not perform an adequate risk analysis for technical security (they did not maintain firewalls or other security software properly (e.g., failed to implement patches, use of appropriate in-bound, out-bound traffic monitoring, etc.)), leading to a malware data breach of 2,743 ePHI records. | 4/21/2005 (Security Rule effective date)-3/12/2012 (1) Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability (CIA) of ePHI. (2) Failed to implement policies and procedures requiring implementation of security measures sufficient to reduce risks and vulnerabilities. 1/1/2008-3/29/2012 (1) Failed to implement technical security measures to guard against unauthorized access to ePHI that is transmitted over an electronic communications network. (2) Failed to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches. Reported: 6/1/2012 | 2,743 | 12/2/2014 | $150,000 |
| Cornell Prescription Pharmacy (small, single-location pharmacy) | January 13, 2012 OCR initiated a compliance review after a media report dated (channel 9 in Denver) January 11, 2012. Threw PHI (documents) into the dumpster accessible by the public. February 27, 2012, investigation began. | 1/11/2012: no offense dates listed (1) Failed to implement any written policies and procedures as required by the HIPAA privacy rule. (2) Failed to provide training on policies and procedures to its workforce as required by the Privacy Rule. | 1,610 | 4/22/2015 | $125,000 |
| St. Elizabeth’s Medical Center (SEMC) | November 16, 2012, complaints received from workforce members about the use of an internet-based document sharing application to store information containing ePHI of 498+ individuals. Investigation began February 14, 2013. On August 25, 2014, a second breach of ePHI affecting 595 individuals on a personal laptop and USB flash drive. Investigation began November 17, 2014. | (1) Disclosure of ePHI for 1,093+ individuals (2) Failure to implement sufficient security measures regarding the transmission and storage of ePHI (3) Failed to identify and respond in a timely fashion to a known security incident, mitigate its harmful effects, and document it. | 1,093+ | 7/10/2015 | $218,400 |
| Cancer Care Group, P.C. | July 19, 2012. A laptop bag was stolen from an employee’s car containing a laptop (no ePHI) and server backup media (unencrypted ePHI of approximately 55,000 individuals). | 4/21/2005 (Security Rule effective date)-11/5/2012 (1) Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability (CIA) of ePHI 4/21/2005 (Security Rule effective date)-1/22/2013 (1) Failed to implement policies and procedures that govern the recept and removal of hardware and electronic meda that contains ePHI in and out of the facility and movement within 7/19/2012 (1) Impermissible disclosure the ePHI of approximately 55,000 individuals | ~55,000 | 8/31/2015 | $750,000 |
| Lahey Clinic Hospital, Inc. | 8/11/2011. A laptop was stolen from an unlocked treatment room off the inner corridor of Lahey’s Radiology Department. It contained approximately 599 unencrypted ePHI records in connection with a computerized tomology (CT) scanner. | 8/11/2011 (1) Failed to conduct an accurate and thorough analysis of the potential risks an vulnerabilities to the confidentialy, integrity, and availability of its ePHI as part of the security management process (45 CFR 164.308(a)(1)(ii)(A)). (2) Failed to implement reasonable and appropriate physical safeguards for a workstation that access ePHI to restrict access to authorized users (45 CFR 164.310(c)). (3)Failed to implement reasonable and appropriate physical safeguards for a workstation that accesses ePHI to restrict access to authorized users (45 CFR 164.310(d)(1)). (4) Failed to assign a unique user name for identifying and tracking user identity with respect to the aforementioned workstation (45 CFR 164.312(a)(2)(i)). (5) Did not implement a mechanism to record and examine activity on the workstation at issue in this breach (45 CFR 164.312(b)). (6) Impermissibly disclosed the ePHI of 599 individuals for a purpose not permitted by the Privacy Rule (45 CFR 164.502(a)). | 599 | 11/24/2015 | $850,000 |
| Triple-S Management Corporation | (1) 9/21/2010 (500+). Two former workforce members improperly accessed restricted ares of the corporation’s proprietary internet IPA database (thus accessing ePHI) as there access rights were not removed post termination. (2) 9/23/2013 (500+). Vendor disclosed Medicare Advantage beneficiaries’ PHI on the outside of a pamphlet mailed to the beneficiaries on 9/20/2013. No Business Associate Agreement. (3) 4/16/2014 (duplicate). Subsidiary reported the #2 breach above. (4) 1/14/2014 (500+). Former employee of a BA copied ePHI onto a CD sometime before 10/9/2013. The data was taken home and eventually ended up being downloaded onto a computer at his mew employer. (5) 10/15/2014 (500+). Unauthorized disclosure of PHI when the wrong information was mailed to beneficiaries. (6) 12/12/2014 (<500). Unauthorized disclosure of PHI when health plan IDs were placed on mailing labels. (7) 1/28/2015 (<500). A preventive mailing was sent to beneficiaries that included PHI from another member of the back of the member’s letter. | (1) Impermissible disclosure of PHI (45 CFR 164.502(a)). (2) Failed to implement appropriate administrative, physical, and technical safeguards to protect PHI (45 CFR 164.530(c)(1) and (C)(2)(i)). (3) Impermissible disclosure of PHI to outside vendors without a BAA (45 CFR 164.314(a)(2)(1)). (4) Disclosed more PHI than was necessary to accomplish the purpose for which it hired the outside vendor (Minimum Necessary – 45 CFR 164.514(d)). (5) Failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and dat systems utilizing ePHI (Risk Analysis – 45 CFR 164.308(a)(1)(ii)(A)). (6) Failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level (Risk Management Plan – 45 CRF 164.308(a)(3)(ii)(B)). (7) Failed to implement procedures for terminating access to ePHI when the employment of a workforce member ends (45 CFR 164.308(a)(3)(ii)(c)). | Unknown, but OCR breaks the events up by >=500 and <500, so several thousand at least | 11/30/2015 | $3,500,000 |
| University of Washington Medicine | Malware gained access to: (1) Approximately 76,000 patients involving a combination of patient names, medical record numbers, dates of service, and/or charges or bill balances (2) Approximately 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, social security number, insurance identification or Medicare numbers. | UW Medicine failed to implement policies and procedures to prevent, detect, contain, and correct security violations. Specifically, it failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI (45 CFR 164.308(a)(1)(i)). | ~90,000 | 12/14/2015 | $750,000 |
| Lincare, Inc. | (1) Sometime in August 2008, Lincare employee Faith Shaw left 278 paper records (classified as PHI) in her home after changing residences. These were found by the remaining resident, her husband Richard Shaw, in November 2008, who reported the incident. (2) Mrs. Shaw stored the documents in her home and vehicles for extended periods of time, to which her husband had access. (3) Lincare took only minimal corrective actions after OCR findings were divulged. (4) Lincare claimed the PHI was stolen by Richard Shaw. The ALJ dismissed the claim because PHI needs to be protected from theft as well.
Civil Money Penalty. | (1) 11/2008: Impermissible disclosure of PHI (45 CFR 164.502(a)) – $25,000 CMP max. (2) 2/01/2008-11/17/2008: Failure to safeguard PHI (45 CFR 164.530(c)) – $25,000 CMP max. (3) 2/1/2008-7/28/2009: Inadequate policies and procedures in place to safeguard PHI; specifically for those taken off-premises (45 CFR 164.530(i)(1)). This violation is shown in three parts: 2/01/2008-12/31/2008 (calendar year limit – $25,000 CMP max), 1/1/2009-2/17/2009 (pre HITECH expansion – $4,800), and 2/18/2009-7/28/2009 (enhanced amount – $160,000). | 278 | 2/3/2016 | $239,800 |
| Complete P.T., Pool & Land Physical Therapy, Inc. (CPT) | CPT impermissibly disclosed PHI on its website by posting testimonials, including full names and full face photographic images, without obtaining HIPAA-compliant authorization. | (1) Failed to reasonably safeguard PHI (45 CFR 164.530(c)(1)). (2) Impermissibly disclosed PHI (45 CFR 164.502(a)). (3) Failed to implement policies and procedures with respect to PHI that were designed to comply with the requirements with regard to authorization (45 CFR 164.530(i)(1)). | “numerous” | 2/16/2016 | $25,000 |
| North Memorial Health Care | On July 25, 2011, an unencrypted laptop containing the ePHI for 9,497 individuals was stolen from a locked vehicle owned by a member of their business associate’s – Accretive Health – workforce. | (1) Allowed Accretive access to its PHI without a business associate agreement from March 21, 2011 to October 14, 2011 (45 CFR 164.308(b) and 45 CFR 164.502(e)). (2) Impermissibly disclosed the PHI of at least 289,904 individuals to Accretive from March 21, 2011 to October 14, 2011 due to a lack of business associate agreement (45 CFR 164.502(a)). (3) Failed to conduct an accurate and thorough risk analysis to included Accretive (45 CFR 164.308(a)(1)(ii)(A)). | 9,497 | 3/16/2016 | $1,550,000 |
| Feinstein Institute for Medical Research | On September 2, 2012, an unencrypted laptop containing the ePHI for 13,000 individuals was stolen from an employee’s car. | (1) Impermissible disclosure of PHI (45 CFR 164.502(a)). (2) Failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the CIA of its ePHI (45 CFR 164.308(a)(1)(ii)(A)). (3) Failed to implement policies and procedures for granting access to ePHI by its workforce members (45 CFR 164.308(a)(4)(ii)(B)). (4) Failed to implement physical safeguards for a laptop containing ePHI to restrict access to unauthorized users (45 CFR 164.310(c)). (5) Failed to implement policies and procedures that govern receipt and removal of hardware and electronic media containing ePHI into and out of a facility, and the movement of these items within the facility (45 CFR 164.310(d)). (6) Failed to implement a mechanism to encrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard ePHI (45 CFR 164.312(a)(2)(iv)). | 13,000 | 3/17/2016 | $3,900,000 |
| Raleigh Orthopaedic Clinic, P.A. (ROC) | Impermissible disclosure of PHI to a third party vendor as no BAA was in place. | (1) ROC disclosed PHI contained in x-ray films to a third party vendor, acting as its BA, without obtaining satisfactory assurances in the form of a written BAA in violation of the Privacy Rule (46 CFR 164.502(e)). (2) ROC disclosed the PHI of 17,300 individuals in violation of the Privacy Rule when it conveyed x-ray films to the third party vendor (45 CFR 164.502(a)). | 17,300 | 4/14/2016 | $750,000 |
| New York and Presbyterian Hospital (NYP) | April 28, 2011, NYP impermissibly disclosed protected health information (PHI) to a film crew and other staff of “NY Med,” a television program being filmed in the hospital. | (1) NYP impermissibly disclosed the PHI of two identified patients to the film crew and other staff of “NY Med” (45 CFR 164.502(a)). (2) NYP failed to appropriately and reasonably safeguard its patients’ PHI from disclosure during the filming of “NY Med” on its premises. NYP also failed to implement policies, procedures and practices to protect the privacy of its patients’ PHI during the filming of aforementioned television show (45 CFR 164.530(c)). | 2 | 4/19/2016 | $2,200,000 |
| Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) | Theft of mobile device. | (1) From September 23, 2013, the compliance data of the Security Rule for business associates, until the present, CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHCS (45 CFR 164.308(a)(1)(ii)(A)). (2) From September 23, 2013, the compliance data of the Security Rule for business associates, until the present, CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a responsible and appropriate level to comply with 164.306(a) of the Security Rule (45 CFR 164.308(a)(1)(ii)(B)). | 412 | 6/24/2016 | $650,000 |
| Oregon Health Sciences University (OHSU) | Two reports regarding unencrypted laptops and one unencrypted thumb drive. Widespread vulnerabilities including the storage of ePHI for 3,044 individuals on a cloud-based server without a BAA. OCR Found significant risk of hard to 1,361 of those affected due to the sensitive nature of their diagnoses. While OHSU performed risk analyses on a regular basis, OCR found them inadequate and OHSU failed to implement measures (in a timely manner) to address vulnerabilities its own internal analyses identified. OHSU also lacked adequate policies and procedures in various Security Rule areas. | (1) From January 5, 2011, until July 3, 2013, OHSU disclosed the ePHI of 3,044 individuals in violation of the Privacy Rule (45 CFR 160.103 and 164.502(a)) when workforce member disclosed the ePHI to a third party internet-based service provider without obtaining a BAA or other satisfactory assurance that the internet-based serviced provider would safeguard the ePHI. (2) From January 5, 2011, until July 3, 2013, OHSU failed to obtain a BAA from an internet-based service provider that was storing ePHI on its behalf as a BA is required by 45 CFR 164.308(b). (3) From January 5, 2011, until July 3, 2013, OHSU failed to implement policies and procedures to prevent, detect, contain, and correct security violations (45 CFR 164.308(a)(1)(i)). (4) From July 12, 2010, to present, OHSU failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for all ePHI maintained in OHSU’s enterprise (45 CFR 164.312(a)(2)(iv) and 164.306(d)(3)). (5) From May 29, 2013, until July 3, 2013, OHSU failed to implement policies and procedures to address security incidents (45 CFR 164.308(a)(6)(i)). | 3,044 | 7/18/2016 | $2,700,000 |
| University of Mississippi Medical Center (UMMC) | Lost (likely stolen by visitor) password-protected laptop containing from UMMC’s Medical Intensive Care Unit (MICU). The laptop (with generic username and password) had access to a network drive containing the ePHI for approximately 10,000 individuals. | (1) From the compliance data of the Security Rule, April 20, 2005, until present, UM failed to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI it holds, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level (45 CFR 164.308(a)(1)(i)). (2) From January 19, 2013, until March 1, 2014, UM failed to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users (45 CFR 164.310(c)). (3) From the compliance date of the Security Rule, April 20, 2005, to March 14, 2013, UM failed to assign a unique user name and/or number for identifying and tracking user identify in information systems containing ePHI including, for example, allowing workforce members to access ePHI on a shared department network drive through a generic account, preventing UMMC from tracking which specific users where accessing ePHI (45 CFR 164.312(a)(2)(i)). (4) UM, following the discovery of this breach of unsecured ePHI, provided notification on UMMC’s website and in local media outlets, but failed to notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach (45 CFR 164.404). | ~10,000 | 7/7/2016 | $2,750,000 |
| Advocate Health Care | Three breaches by its subsidiary (Advocate Medical Group) in 2013 affecting the ePHI of nearly 4 million individuals. (breach 1) Four computers stolen on 7/15/2013 with the ePHI of 3,994,175 (final, amended number) individuals. (breach 2) Unauthorized access of BA’s (Blackhawk Consulting Group) system between 6/30/2013 and 8/15/2013 affecting the ePHI of 2,027 individuals. (breach 3) Unencrypted laptop stolen from a workforce member’s unlocked vehicle containing the ePHI of 2,237 individuals. | (1) Advocate Health Care failed to conduct an accurate and thorough risk analysis that incorporates all of its facilities, information technology equipment, applications and data systems utilizing ePHI (45 CFR 164.308(a)(1)(ii)(A)). (2) Advocate Health Care failed to implement policies and procedures to limit physical access to its electronic information systems housed within the Touhy Support Center (45 CFR 164.310(a)(1)). (3) Advocate Health Care failed to reasonably safeguard the ePHI of approximately 3,994,175 individuals at the Touhy Support Center (45 CFR 164.530(c)). (4) Advocate Health Care failed to obtain satisfactory assurances in the form of a written BAA from Blackhawk that Blackhawk would appropriately safeguard all Advocate Health Care ePHI that was in Blackhawk’s possession or control (45 CFR 164.308(b)(1)). (5) Advocate Health Care impermissibly disclosed the ePHI of approximately 2,027 individuals to Blackhawk when it failed to obtain satisfactory assurances in the form of a BAA that Blackhawk would appropriately safeguard all Advocate Health Care ePHI that was in Blackhawk’s possession or control (46 CFR 160.103 and 164.502(a)). (6) Advocate Health Care failed to reasonably safeguard the ePHI of approximately 2,237 individuals when an Advocate Medical Group workforce member left an unencrypted laptop in an unlocked vehicle overnight (45 CFR 164.530(c)). | 3,994,175 | 7/7/2016 | $5,550,000 |
| Woman & Infants Hospital (WIH), Rhode Island – CE under Care New England health System (CNE). | Loss of unencrypted backup tapes containing the ultrasound studies of 14,004 individuals. WIH’s BAA with CNE was dated March 15, 2005, and had not been updated prior to this event. The Massachusetts Attorney General’s Office reached a $150,000 settlement with WIH (CNE operates in Massachusetts), which OCR deemed sufficient to cover most of the conduct in the breach. | (1) From September 23, 2014, until August 28, 2015, WIH disclosed PHI and allowed its business associate to create, receive, maintain, or transmit PHI on its behalf, without obtaining satisfactory assurances in accordance with 45 C.F.R. §§ 164.504(e)(2) and 164.314(a). WIH failed to renew or modify its existing written business associate agreement with Care New England Health System, its business associate, to include the applicable implementation specifications required by the Privacy and Security Rules. See 45 C.F.R. §§ 164.502(e), 164.308(a), 164.532(d). (2) From September 23, 2014, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided Care New England Health System with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that Care New England Health System would appropriately safeguard the PHI. See 45 C.F.R. § 164.502(a). | 14,004 | 9/23/2016 | $400,000 |
| St. Joseph Health | SJH notified OCR on 2/14/2012 that reports created for Meaningful Use attestation containing ePHI were publicly accessible via Google from 2/1/2011-2/13/2012. The root cause was a misconfigured network server. | (1) 2/1/2011-2/13/2012 impermissibly disclosed the PHI of 31,800 individuals – 45 CFR 164.502(a).
(2) 7/1/2010-7/10/2012 Failed to perform an evaluation in response to application and server configuration changes compromising security – 45 CFR 164.308(a)(8). (3) 7/1/2010-present failed to satisfactorily conduct an accurate and thorough analysis – 45 CFR 164.308(a)(1)(ii)(A). | 31,800 | 10/17/2016 | $2,140,500 |
| University of Massachusetts Amhert | UMass notified OCR on 6/4/2013 that a workstation was infected with malware, which may have resulted in the breach of 1,670 records. | (1) Failed to include each component that would meet the definition of a CE or BA if it were a separate legal entity in its hybrid entity designation (referring to the Center where the breach occurred) – 45 CFR 164.105(a)(2).
(2) Did not conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the CIA of all its ePHI – 45 CFR 164.308(a)(1)(ii)(A). (3) Did not implement technical security measures at the Center to guard against unauthorized access to ePHI that is transmitted over an electronic communications network by ensuring that firewalls were in place – 45 CFR 164.312(e). (4) Provided access to the ePHI of 1,670 individuals whose information was maintained on a workstation at the Center that was infected by malware – 45 CFR 164.502(a). | 1,670 | 11/22/2016 | $650,000 |
| Presence Health | PH notified OCR on 1/31/2014 that it discovered paper-based operating room schedules were missing on 10/22/2013. Due to miscommunications between workforce members, there was a delay in breach notification. Upon further investigation, OCR determined PH failed to provide timely breach notification for prior incidents as well.
First enforcement action for lack of timely breach notification. | (1) Failed to provide timely written notification of the breach that it discovered on 10/22/2013 to the individuals whose PHI had been compromised (104 calendar days instead of the maximum allowed 60) – 45 CFR 164.404(b).(2) Failed to provide timely written notification of the beach that it discovered on 10/22/2013 to prominent media outlets serving the state or jurisdiction in which more than 500 of the individuals affected by the breach reside (106 calendar days in stead of the maximum allowed 60) – 45 CFR 164.406(b). (3) Failed to provide timely written notification of the breach that it discovered on 10/22/2013 to HHS (101 calendar days instead of the maximum allowed 60) – 45 CFR 164.408(b). | 836 | 1/9/2017 | $475,000 |
| MAPFRE Life Insurance Company of Puerto Rico (from wayback machine) | MAPFRE notified OCR on 9/29/2011 that a USB drive was stolen from its IT department, where it have been left without safeguards overnight.
MAPFRE made false statements to OCR and failed to follow through on actions it stated it would implement. | Link to Resolution Agreement is broken – extracted from press release.
(1) Failed to conduct a risk analysis and implement risk management plans (contrary to their prior representations). (2) Failed to deploy encryption until 9/1/2014. (3) Failed to implement or delayed implementing other corrective measures it informed OCR it would undertake. | 2,209 | 1/18/2017 | $2,200,000 |
| Children’s Medical Center of Dallas | CMCD notified OCR on 1/18/2010 of the loss of an unencrypted BlackBerry at Dallas/Fort Worth International Airport on 11/19/2009 – 3,800 affected. CMCD failed to implement encryption, an alternative method, or document why encryption was not necessary (though it was deemed necessary).
CMCD notified OCR on 8/22/2011 that an iPOD synced to an email account containing ePHI was lost – 22 affected. CMCD notified OCR on 7/5/2013 of a laptop theft – 2,462 affected. Civil Money Penalty. | (1) Failed to implement access controls – encryption and decryption, or an alternative measure – 45 CFR 164.312(a)(2)(iv).(2) Failed to document its decision not to implement encryption or an equivalent alternative measure and the rationale behind that decision – 45 CFR 164.306(d)(3) (3) Failed to implement sufficient policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility – 45 CFR 164.310(d)(1). (4) Impermissibly disclosed the PHI of at least 2,484 individuals – 45 CFR 164.502(a). | 6,284 | 2/1/2017 | $3,217,000 |
| Memorial Healthcare System | MHS notified OCR on 4/12/2012 that 2MHS employees inappropriately accessed patient information. Amended on 7/11/2012 to 12 employees. | (1) Impermissibly disclosed the PHI of 80,000 individuals – 45 CFR 160.103 and 164.502(a)(2) Failed to implement procedures to regularly review records of information system activity (e.g., audit logs, access reports, and security incident tracking reports) – 45 CFR 164.308(a)(1)(ii)(D). (3) Failed to implement policies and procedures that establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process – 45 CFR 164.308(a)(4)(ii)(C) | 80,000 | 2/16/2017 | $5,500,000 |
| Metro Community Provider Network | MCPN notified OCR on 1/27/2012 that a hacker accessed employees’ email on 12/5/2011. | (1) Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI (2) Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level – 45 CFR 164.308(a)(1)(i) | 3,200 | 4/12/2017 | $400,000 |
| Center for Children’s Digestive Health | On 8/13/2015, OCR opened an investigation into CCDH’s use of a third-party vendor Filefax, who stored inactive paper medication records.
No BAA. | (1) Failed to obtain satisfactory assurances from BA, in the form of a BAA, that BA would appropriately safeguard the PHI that was in the BA’s control – 45 CFR 164.502(e) (2) Impermissibly disclosed the PHI of at least 10,728 individuals to BA – 45 CFR 164.502(a) | 10,728 | 4/20/2017 | $31,000 |
| CardioNet | CardioNet notified OCR on 1/10/2012 and 2/27/2012 of breaches to its ePHI. | (1) Failed to implement the specifications required to establish a security management process to prevent, detect, contain, and correct security violations. Specifically, CardioNet failed to conduct an accurate and thorough risk analysis – 45 CFR 164.308(a)(1) (2) Failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facilities, encryption of such media, and the movement of these items within its facilities – 45 CFR 164.310(d)(1) (3) Failed to safeguard against the impermissible disclosure of protected health information by its employees | 3,610 | 4/24/2017 | $2,500,000 |
| Memorial Hermann Health System | On 10/13/2015, OCR initiated a compliance review of MHHS based on multiple media reports that suggested MHHS disclosed a patient’s PHI to the media and various public officials without the patient’s authorization. | (1) Failed to safeguard PHI. (2) Impermissibly disclosed the patient’s PHI through press releases issued to fifteen media outlets and/or reporters. Following the publication, senior leaders further disclosed the patient’s PHI during three meetings with an advocacy group, state representatives, and a state senator – 45 CFR 164.502(a). (3) Failed to document timely and the sanctions imposed against members of its workforce who failed to comply with its privacy policies and procedures or the Privacy Rule – 45 CFR 4164.503(e)(2). | 1 | 5/10/2017 | $2,400,000 |
| St. Luke’s-Roosevelt Hospital Center Inc. | On 9/12/2014, OCR received a complaint against St. Luke’s Co Center for Health alleging that on 9/10/2014, a staff member impermissibly disclosed the complainant’s PHI by faxing his medical records to his employer. During the investigation, a second patient was identified. | (1) Impermissibly disclosed PHI of two identified patients – 45 CFR 164.502(a). (2) Failed to reasonably safeguard two identified patients’ PHI from any intentional or unintentional disclosure during faxing – 45 CFR 164.503(c)(2)(i) | 2 | 5/23/2017 | $387,200 |
Created by: Ray Hylock on 2015-08-29 @ 16:02
Last updated by: Ray Hylock on 2017-08-29 @ 17:48