HHS Announces $225,000 Settlement Following Their HIPAA Investigation Identifying Privacy and Security Failures
How did the HIPAA Investigation Begin?
The HIPAA investigation began in May 2023 following a complaint that the provider had exposed patients’ electronic protected health information (ePHI) online. The data—names, dates of birth, diagnoses, patient ID numbers, and facility information—was accessible through internet search engines due to a coding error in a discontinued pilot program for a patient portal. The exposed information remained publicly available from December 2021 until May 19, 2023.
OCR confirmed that 35 individuals’ ePHI was impermissibly disclosed online. The situation worsened in August 2023 when the provider experienced a cyberattack involving a compromised user account. A threat actor claimed to have exfiltrated sensitive data and demanded payment to prevent its release on the dark web. The breach impacted 171,871 individuals, requiring breach notifications to HHS, affected individuals, and the media.
OCR Findings Post HIPAA Investigation and Penalties
OCR concluded that the provider failed to conduct an accurate and thorough HIPAA risk analysis, a requirement under the HIPAA Security Rule designed to identify risks and vulnerabilities to ePHI. This deficiency left the organization susceptible to both human error and malicious intrusion.
To resolve the matter, the provider agreed to:
– Pay $225,000 to HHS,
– Implement a corrective action plan, and
– Undergo two years of monitoring by OCR.
Corrective Action Plan Requirements
Under the agreement, the provider is required to:
– Conduct annual risk analyses and update them as needed,
– Develop a risk management plan to address identified threats,
– Maintain and revise written HIPAA policies and procedures, and
– Provide annual workforce training for employees with PHI access.
Lessons for the Healthcare Industry
This case serves as a powerful reminder that proactive HIPAA compliance is essential. OCR Director Paula M. Stannard emphasized:
“An accurate and thorough HIPAA risk analysis can minimize the exposure of ePHI from both malicious actors and inadvertent errors.”
OCR advises all covered entities and business associates to:
– Identify how and where ePHI flows through their systems,
– Regularly conduct and update risk analyses,
– Implement audit controls and review system activity,
– Encrypt ePHI in transit and at rest,
– Ensure secure access through authentication mechanisms, and
– Provide job-specific HIPAA training to employees.
Why This Matters
As digital health systems continue to expand, so does the responsibility to secure patient data. This case illustrates the financial and reputational risks healthcare organizations face when they fail to conduct proper risk assessments or maintain strong privacy and security safeguards.
Have Questions?
At MedSafe, we help healthcare organizations navigate HIPAA compliance through customized training, audits, and policy development. Don’t wait for an audit or breach to reveal a gap—take action now to protect your practice and your patients.
Contact us today to schedule a HIPAA compliance review or training session.
Additional Resources:
