On August 8th, 2016, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued the largest Health Insurance Portability and Accountability Act (HIPAA) settlement to date with Advocate Health Care System (Advocate). Advocate agreed to pay $5.55 million to settle a variety of HIPAA violations. Advocate is the largest health system in Illinois and operates more than 400 sites of care with 12 acute care hospitals. This settlement comes in the wake of a series of recent HIPAA violation settlements and other enforcement activities by OCR, including phase 2 of the HIPAA audit program.
Tag Archives: breach
Last week, the University of Washington Medicine (UWM), an affiliated covered entity that includes multiple entities such as the University of Washington Medical Center, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $750,000 and implementing a substantial corrective action plan.
Recently, Lahey Hospital and Medical Center (Lahey), a nonprofit teaching hospital located in Massachusetts, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $850,000 and adopting a robust corrective action plan. Continue reading
Last week, the University of Rochester Medical Center (URMC) reached agreement with the New York Office of the Attorney General (NYOAG) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $15,000 and adopting a substantial corrective action plan. Continue reading
Last week, the Connecticut Attorney General (the “Connecticut AG”) announced that Hartford Hospital and its subcontractor, EMC Corporation (“EMC”), agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The entities will collectively pay a $90,000 penalty and also sign an Assurance of Voluntary Compliance (an “AVC”).
The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) issued two reports yesterday calling for the HHS Office of Civil Rights (OCR) to strengthen its Health Insurance Portability and Accountability Act (HIPAA) enforcement efforts. In response to these reports, HHS announced that it will launch HIPAA audits early next year in order to be more proactive in HIPAA enforcement. Continue reading
Excellus, a BlueCross BlueShield (BCBS) provider servicing upstate New York, announced last week that it was the latest in a string of BCBS providers that experienced a data breach as a result of a cyberattack. CareFirst BlueCross Blue Shield, Anthem, and Premera Blue Cross all recently announced they were the victims of sophisticated cyberattacks impacting millions of consumers.
Excellus stated that it discovered this breach on August 5th as a result of the company’s ongoing security efforts in the wake of recent health industry cyberattacks. The company hired cybersecurity firm Mandiat to conduct a forensics analysis of the information technology (IT) system. Mandiat found evidence that cyberattackers had executed a sophisticated attack to gain unauthorized access to Excellus’ IT systems and have been in the IT systems since December 23, 2013.
The information potentially accessed includes, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information for its memebers. This incident also affected members of other BCBS plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS. Additionally, individuals who do business with Excellus were also affected.
This incident again highlights the ongoing efforts that companies, particularly those in the health industry, must take to protect against and responding to cyberattacks. Hackers are using more sophisticated techniques against those in the health care industry and may be able to conduct attacks for long periods of time without detection if appropriate actions are not taken.