US Hospitals Fined $2.175M for “Refusal to Properly Report” Data Breach

Security

An American health services provider has agreed to pay a fine of $2.175m after refusing to properly notify Health and Human Services of a data breach.

In April of 2017, a complaint regarding Sentara Hospitals was received by the Department of Health and Human Services (HHS). The complainant said that they had received a bill from Sentara Hospitals containing another patient’s protected health information (PHI). 

An investigation launched by the Office for Civil Rights (OCR) determined that Sentara had merged the billing statements for 577 patients with 16,342 different guarantors’ mailing labels, resulting in the disclosure of the PHI of 577 individuals. 

Information exposed by the breach included patient names, account numbers, and dates of services they had received.  

Sentara reported this incident as a breach affecting only eight individuals. The health services provider had incorrectly concluded that unless a disclosure included patient diagnosis, treatment information, or other medical information, no reportable breach of PHI had occurred.  

A spokesperson for HHS said: “Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR.”

The OCR also determined that Sentara Hospitals provides services involving the receipt, maintenance, and disclosure of PHI for its member-covered entities, but did not enter into a business associate agreement with its business associate Sentara Healthcare until October 17, 2018, well after the breach.

Sentara manages 12 acute-care hospitals with more than 300 sites throughout Virginia and North Carolina. The health services provider agreed to take corrective action and pay $2.175m to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules.

Roger Severino, OCR director, said: “HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.

“When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring. As part of the plan, Sentara will have to develop, maintain, and revise, as necessary, their written policies and procedures to comply with federal standards.

Products You May Like

Articles You May Like

Original Content podcast: ‘The Crown’ embraces middle age
Real X-Wings took flight at Disney’s new Star Wars ride grand opening thanks to Boeing
Max Q: SpaceX and Rocket Lab launch rockets and X-Wings take flight
Use a data privacy framework to keep your information secure
Electric vehicle startup Nio lays off 141 employees at its North American headquarters

Leave a Reply

Your email address will not be published. Required fields are marked *