US Hospitals Fined $2.175M for "Refusal to Properly Report" Data Breach

Written by

An American health services provider has agreed to pay a fine of $2.175m after refusing to properly notify Health and Human Services of a data breach.

In April of 2017, a complaint regarding Sentara Hospitals was received by the Department of Health and Human Services (HHS). The complainant said that they had received a bill from Sentara Hospitals containing another patient’s protected health information (PHI). 

An investigation launched by the Office for Civil Rights (OCR) determined that Sentara had merged the billing statements for 577 patients with 16,342 different guarantors' mailing labels, resulting in the disclosure of the PHI of 577 individuals. 

Information exposed by the breach included patient names, account numbers, and dates of services they had received.  

Sentara reported this incident as a breach affecting only eight individuals. The health services provider had incorrectly concluded that unless a disclosure included patient diagnosis, treatment information, or other medical information, no reportable breach of PHI had occurred.  

A spokesperson for HHS said: "Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR."

The OCR also determined that Sentara Hospitals provides services involving the receipt, maintenance, and disclosure of PHI for its member-covered entities, but did not enter into a business associate agreement with its business associate Sentara Healthcare until October 17, 2018, well after the breach.

Sentara manages 12 acute-care hospitals with more than 300 sites throughout Virginia and North Carolina. The health services provider agreed to take corrective action and pay $2.175m to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules.

Roger Severino, OCR director, said: "HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.

"When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR."

In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring. As part of the plan, Sentara will have to develop, maintain, and revise, as necessary, their written policies and procedures to comply with federal standards.

What’s hot on Infosecurity Magazine?