Guiding Your Organization to Compliance Health and Keeping your Healthcare Data Private and Secure
Recent HIPAA Violations: 5 Largest HIPAA Breach Fines Since 2009
In late 2009, the HIPAA breach notification requirement was initiated, which mandated that “HIPAA covered entities and their business associates provide notification following a breach of unsecured protected health information (PHI).” Since that time, more than 32 million people have had their PHI violated in HIPAA privacy and security breaches. In response to the violations, The Office for Civil Rights (OCR), as the HIPAA enforcement arm of the Department of Health and Human Services, imposed more than $26 million in fines against healthcare organizations who have compromised PHI. As part of the ongoing harsh enforcement crackdown, the OCR determined that the following breaches deserved the most severe fines:
5. WellPoint - $1.7 Million
In July of 2013, managed care company WellPoint failed to perform a suitable technical evaluation when upgrading software and disregarded a user verification measure for their web-based patient database. These mishandlings of technology resulted in a breach of 612,402 records made accessible to unauthorized internet users over a period of five months.
4. Concentra Health Services - $1.73 Million
While Concentra’s breach only affected 870 individuals, less than WellPoint’s breach, their fine imposed in April 2014 by OCR was one of the largest. What began as an investigation into a stolen, unencrypted laptop, soon revealed that Concentra failed to enforce encryption policies on close to 28 percent of their laptops. Possibly the biggest surprise in Concentra’s case was that an inventory assessment of Concentra’s PHI-containing non-encrypted laptops was not completed until 2013, more than 4 years after the HIPAA breach notification requirement became instated.
3. CVS Pharmacy - $2.25 Million
In January 2009, OCR found that CVS pharmacies were committing possibly one of the most egregious HIPAA offenses by disposing of PHI in public dumpsters. Alongside the OCR investigation, the Federal Trade Commission also investigated the CVS on its safety policies. The breach by CVS pharmacies was so severe that OCR was not even able to determine the number of individuals affected by the violation.
2. Cignet Health Center - $4.3 Million
The OCR’s investigation into the Maryland-based health center was two-pronged, including denial of medical record access and denial of investigation requests. From 2008 to 2009, Cignet denied 41 patient requests for their medical records, resulting in a fine of $1.3 million. During further investigation by the OCR, Cignet refused to respond to OCR investigation requests for documentation and access, which OCR then responded to with a $3 million fine.
1. New York Presbyterian Hospital and Columbia University - $4.8 Million
The largest fine imposed for a HIPAA breach occurred in May of 2014, when a Columbia University physician attempted to deactivate a personal computer server on the New York Presbyterian and Columbia network containing PHI. Because the personal computer was not set up with appropriate technical safeguards, the deactivation resulted in ePHI being available on Google. The breach was not discovered by the entity, as is normally the case, but rather by a family member who saw their deceased partner’s PHI online and reported the complaint to the hospital. The record belonged to one of 6,800 individuals affected in the breach.
Simple mistakes can equal big fines. Implement best practices for HIPAA and conduct ongoing risk analysis. Failing to update your HIPAA compliance training and/or risk assessments can mean big holes in your PHI security. Workforce training and HIPAA policy awareness will go a long way in protecting your organization’s PHI and ensuring privacy and security.