Priciest HIPAA Incidents of 2015
Cornell Prescription Pharmacy - $125,000 Cornell Prescription Pharmacy, a Denver-based pharmacy specializing in compounded medications, was ordered to pay $125,000 due to improper disposal of paper medical records. Originally reported by a local news outlet three years ago, the OCR found that PHI-containing documents of 1,610 patients were left in an unsecured dumpster on Cornell s property. The pharmacy failed to safeguard PHI and implement necessary written policies and procedures per the Privacy Rule. In addition to the April 2015 settlement, Cornell was ordered to adopt a corrective action plan as well as provide training on HIPAA-related policies.
St. Elizabeth s Medical Center - $218,400 St. Elizabeth s Medical Center (SEMC), a 252-bed community hospital located in Brighton, Mass., agreed to a $218,400 settlement in July of this year. The settlement involved breaches occurring in 2012 and 2014. The initial breach occurred when a former employee s laptop and flash drive were stolen, containing data on an estimated 595 individuals. The second breach, reported by an SEMC employee, involved an Internetbased network application used for storing and sharing electronic documents. SEMC failed to fully evaluate the risks of such an application prior to use, comprising the ephi of 498 patients. SEMC must also implement a corrective action plan to ensure increased protection of electronic data.
Cancer Care Group, P.C. - $750,000 Cancer Care Group, P.C., a privately-owned radiation oncology group with more than 20 facilities in Central Indiana, was ordered to pay $750,000 in August 2015, due to failure to properly secure ephi. The breach occurred in 2012 when a laptop and backup media were stolen from an employee s vehicle. While the laptop did not have anything substantive, the unencrypted backup media contained extensive ephi of approximately 55,000 patients. Cancer Care Group must also develop a risk management plan and written policies addressing how ephi-containing hardware and electronic media should be securely transported.
Lahey Hospital and Medical Center - $850,000 Lahey Hospital and Medical Center, a nonprofit teaching hospital located in Burlington, Mass. associated with Tufts University, agreed to an $850,000 settlement in November 2015. The settlement stemmed from a 2011 breach of ephi, when an unencrypted laptop was stolen from a treatment room in the facility s radiology department. The laptop was being used to store CT images and findings, including those of approximately 599 patients. Besides the financial component, Lahey must conduct an organizationwide risk analysis and management plan to ensure future safeguarding of ephi.
Triple-S Management Corp. - $3.5 Million Triple-S Management Corporation (TSS), an insurance holding company and the largest medical insurance provider in San Juan, Puerto Rico, was ordered to pay $3.5 million due to multiple HIPAA breaches over the past five years. The third-largest settlement to date included multiple unauthorized disclosures related to health plan beneficiary mailings, specifically the company sent insurance ID cards to the wrong beneficiaries and included identification numbers on envelope labels. It also was accused of inappropriate database access by former employees, including the transfer of data to another employer s computer system. TSS also agreed to establish a comprehensive corrective action plan to mitigate the risk of further HIPAA breaches.
Anthem, Inc. Settlement Pending This breach, reported in March 2015, involved a coordinated cyberattack on the IT system of Anthem, which has several health insurance companies in its umbrella. The hackers, who have yet to be identified, accessed PHI of approximately 78 million current and former members and employees. Anthem claimed that no credit card or medical information was compromised. However, names, addresses, and social security numbers were among the non-medical identifying information that was disclosed. While a settlement is pending further investigation, Anthem has initiated several measures to close security gaps and extend additional consumer protection. Office for Civil Rights Breach Portal
Premara Blue Cross Settlement Pending Similar to the Anthem cyber-attack, Premara Blue Cross also reported a breach of their IT systems in March 2015. It s believed the sophisticated attack, affecting 11 million members, began in 2014, but Premara didn t become aware of the issue until January 2015. Despite Premara s use of data encryption, the cyber-attackers were still able to gain access to both clinical and non-medical information, including member identification numbers and claims details dating back to 2002. Premara has hired a cybersecurity firm to advise of gaps in their infrastructure and is also coordinating investigative efforts with the FBI. Office for Civil Rights Breach Portal