PHI Breach at Urgent Team Holdings, The Guidance Center and MetroHealth

Urgent Team Holdings Reports Breach of the PHI of 166,600 People

Urgent Team Holdings, which runs more than 70 urgent care and walk-in facilities in Alabama, Arkansas, Georgia, Tennessee, and Mississippi, has lately informed 166,601 patients that unauthorized individuals potentially obtained some of their protected health information (PHI) in a November 2021 cyberattack.

Urgent Team stated it uncovered that the compromise of its network occurred from November 12, 2021 to November 18, 2021. Helped by third-party cybersecurity specialists, Urgent Team found out that the files potentially exfiltrated from its systems contained the PHI of patients. An extensive analysis of the files was finished on January 31, 2022, and affirmed the inclusion of patients’ full names, medical record numbers, and birth dates.

Although data theft may have happened, there is no evidence of data exfiltration identified and there was no report received of any misuse of patient data. To enhance security, Urgent Team has enforced multi-factor authentication and has included additional layers of security in its networks to minimize the danger of unauthorized access. A new antivirus solution was also employed which generates notifications if there are attempts of unauthorized access to its systems.

Email Account Breach at The Guidance Center

The Guidance Center, Inc. has recently found out that unauthorized people acquired access to some personnel’s email accounts for a short time period. When the breach was discovered, the email accounts were promptly made safe, and an investigation was commenced to know the nature and scope of the incident.

Third-party cybersecurity experts assisted with the investigation to validate the protection of its computer networks and supplemental security procedures have now been used to avoid other attacks. An evaluation of the affected email accounts revealed they included patients’ protected health information. The types of compromised information varied from one individual to another and might have contained names along with one or more of these data elements: medical treatment or diagnosis data, patient record numbers, and/or health insurance details.

The Guardian Center already submitted the breach report to the HHS’ Office for Civil Rights as affecting 23,104 persons. Complimentary identity protection and credit monitoring services were provided to selected persons, based on the types of details that were breached.

MetroHealth Announces Compromise of 1,700 Patients’ PHI

MetroHealth System located in Cleveland, OH, has advised roughly 1,700 patients regarding the impermissible disclosure of some of their PHI to other patients because of an error that happened during the modernizing of its electronic health record (EHR) system.

A misconfiguration meant that whenever patient records were generated to be provided to patients, information pertaining to other individuals was inadvertently included in the records, for instance, patient names, visit data, and the healthcare providers they visited. No other personal, financial, or medical data was impacted.

The EHR provider discovered the issue and notified MetroHealth concerning the data breach on February 10, 2022. Notification letters had been delivered to impacted individuals on April 11.

Resources for Human Development, WellStar Health and Central Vermont Eye Care Announce Data Breaches

Resources for Human Development Reports Breach Affecting 46,673 People

Resources for Human Development (RHD), a national human services nonprofit organization based in Philadelphia, PA, has recently announced the theft of a hard drive containing the protected health information (PHI) of 46,673 people. The theft happened on or approximately January 27, 2022, and was uncovered by RHD on February 16, 2022.

The hard drive was utilized for its Point-to-Point program in Exton, PA, and included information like names, drivers’ license numbers, Social Security Numbers, financial account data, payment card details, birth dates, prescription details, diagnosis data, treatment details, treatment providers, health insurance data, medical details, Medicare/Medicaid ID numbers, employer identification numbers, electronic signatures, usernames and passwords of clients and employees.

RHD stated forensics experts investigated the magnitude of the breach and ensured the safety of its offices and computer servers. The employees also received training on best practices for safeguarding confidential data.

Email Breach at Wellstar Health

Wellstar Health based in Atlanta, GA has lately affirmed that unauthorized people accessed personnel email accounts or acquired patient data. Wellstar Health found out about the security incident on February 7, 2022, with the confirmation by a forensic investigation that the breach affected only two email accounts. Other systems were not affected by the breach.

The email accounts were identified to have been breached from December 6, 2021, to January 3, 2022. Upon identification of the breach, the email accounts were quickly deactivated and secured. An assessment of the accounts affirmed the inclusion of PHI like worker names, Internal account numbers, medical record numbers, and laboratory details. No proof was discovered to reveal any patient data was misused.

It is presently uncertain how many patients were impacted.

Central Vermont Eye Care Hacking Incident Affects 30,000 Patients

The Ophthalmology practice Central Vermont Eye Care located in Rutland, VT reported lately a hacking incident. The exact nature of the hacking incident is not clear at this time; nevertheless, it was confirmed that unauthorized persons possibly acquired access to the PHI of as many as 30,000 patients. Notification letters were mailed to those persons on April 6, 2022.

OCR Wants Feedback on Recognized Security Practices and the Distribution of HIPAA Settlements with Victims

The Department of Health and Human Services’ Office for Civil Rights has published a Request for Information (RFI) associated with two particular specifications of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

Based on the revisions by the HIPAA Safe Harbor Act in the 2021 HITECH Act, the HHS should take into account the security procedures that were enforced by HIPAA-regulated entities when considering to enforce financial penalties and other remedies to handle potential HIPAA violations identified in the course of investigations and reviews.

The goal of the HIPAA Safe Harbor Act is to urge HIPAA-regulated entities to use cybersecurity strategies. The incentive for companies that have implemented industry-standard security guidelines for one year before a data breach happens is reduced financial penalties for security breaches and less critique by the HHS.

Another particular requirement that dates back to the time the HITECH Act was approved into law, is for the HHS to share a portion of the civil monetary penalties (CMPs) and settlement payments with people who experienced harm due to the violations for which the fines were put on. The HITECH Act requires a strategy to be set up by the HHS for identifying proper amounts to be shared, according to the nature and scope of the HIPAA violation and the nature and degree of the hurt that results.

At the beginning of this year, the newly designated Lisa J. Pino as Director of the HHS’ Office for Civil Rights (OCR) affirmed that these two prerequisites of the HITECH Act were being dealt with this year. Yesterday, OCR publicized the RFI in the Federal Register requesting a public opinion on these two conditions of the HITECH Act.

Particularly, OCR is asking for comments on what makes up “Recognized Security Practices,” the acknowledged security procedures that are being executed to secure electronic protected health information (ePHI) by HIPAA-compliant entities, and how those entities are prepared sufficiently by setting up recognized security practices. OCR would additionally like to know any implementation problems that those entities wish to be cleared up by OCR, either by means of additional rulemaking or guidance, and recommendations on the action that ought to start the start of the 12-month look-back time, as that isn’t mentioned in the HIPAA Safe Harbor Act.

One of the primary concerns with the prerequisite to share CMPs and settlements with impacted persons is that the HITECH Act does not have a definition of harm. OCR wants feedback on the kinds of “harms” that must be regarded when giving a percent of SMPs and settlements and recommendations on possible strategies for sharing and distributing funds to harmed persons.

This request for data has always been anticipated, and feedback from the public and concerned industry is welcome. People who are historically underserved, marginalized, or vulnerable to discrimination or systemic disadvantage must give feedback on this RFI, so their interests in later rulemaking and guidance will be taken into consideration.

To be counted, responses need to be sent to OCR by June 6, 2022.

The Protecting and Transforming Cyber Health Care (PATCH) Act Presented to Enhance Medical Device Cybersecurity

Two bipartisan senators have presented the Protecting and Transforming Cyber Health Care (PATCH) Act which aspires to strengthen the safety of medical devices.

Vulnerabilities are frequently found in medical devices that can possibly be used by threat actors to modify the efficiency of the devices, make them inoperable, or use the devices as a means for more comprehensive attacks on healthcare systems. Throughout the pandemic, there was a spike in cyberattacks on healthcare companies, and medical devices, and the systems to which they link up were impacted by ransomware attacks. These cyberattacks have impacted patients, hospitals, and the medical device market.

U.S. Senators Tammy Baldwin (D-WI) and Bill Cassidy, M.D. (R-LA) unveiled the PATCH Act to make sure that the cyberinfrastructure of the American healthcare system stays safe and protected. The PATCH Act will revise the Federal Food, Drug, and Cosmetic Act to call for all premarket submissions for medical devices to have information on the cybersecurity features that were applied.

If approved, the Food and Drug Administration (FDA) can only allow a medical device for use once the manufacturers make sure that critical cybersecurity specifications were integrated. The PATCH Act additionally requires companies of medical devices to design, create, and keep processes and procedures to update and patch the units and associated systems all through the lifecycle of the unit. A Software Bill of Materials for every device should likewise be given to end consumers which will make it less difficult to discover vulnerabilities that have an effect on the devices, such as vulnerabilities in open source parts and dependencies.

The Patch Act additionally calls for medical device producers to establish a plan for tracking, identifying, and dealing with post-market cybersecurity issues, and a Coordinated Vulnerability Disclosure will be necessary to show the safety and performance of a device.

New medical technologies offer great potential to enhance the health and quality of life, stated Dr. Cassidy. If Americans are unable to depend on the protection of their personal data, this potential won’t be achieved.

With the PATCH Act, modern medical technologies are better secured from cyber threats and personal health information is safe while seeking new ways to enhance care at the same time.

Reps. Michael C. Burgess (R-TX) and Angie Craig (D-MN) presented a companion bill in the House of Representatives.

Data Breaches at CSI Laboratories and Christie Clinic; Scripps Health Issues More Notification Letters

Conti Ransomware Gang Says It is Responsible for CSI Laboratories Cyberattack

Cytometry Specialists, Inc. also known as CSI Laboratories in Alpharetta, GA, has just reported that it experienced a cyberattack that was uncovered on February 12, 2022. An investigation was started which established that files comprising some patient information were copied from its systems, which for the most part comprised patient names and case numbers employed for tagging patients. Nevertheless, addresses, birth dates, medical record numbers, and health insurance data were likewise included for a number of patients.

CSI Laboratories mentioned in its website notice that at this phase of the investigation there appears to be no sign of any misuse of patient records. Though CSI Laboratories didn’t make known the nature of the attack, the Conti ransomware group has professed responsibility for the cyberattack and has posted a sample of the stolen information on its data leak webpage. CSI Laboratories stated it has already re-established its system on the web and it is keeping track of its network carefully for abnormal activity. No statement was made concerning payment of any ransom demand.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach site, thus it is uncertain how many people were affected.

Email Account Breach Announced by Christie Clinic

Christie Business Holdings Company, P.C., dba Christie Clinic, has lately reported that is had a security incident regarding the email account of a worker. The firm’s breach notice didn’t state when the breach was uncovered, nonetheless, the forensic investigation affirmed on January 27, 2022, that an unauthorized person accessed the email account between July 14, 2021 and August 19, 2021.

Christie Clinic stated the reason for the attack seemed to be to intercept a business deal between the company and a third-party seller, instead of to get sensitive data from the email account, nevertheless, it was impossible to determine to what level emails inside the account were viewed. Christie Clinic mentioned the investigation affirmed that the breach just impacted one email account. No other parts or accounts were affected. On March 10, 2022, the assessment of information in the account showed that the emails involved protected health information (PHI) for instance names, Social Security numbers, addresses, health data, and medical insurance details. Notification letters were issued to impacted persons on March 24, 2022.

Christie Clinic claimed it currently employs industry-leading network security tools, conducts regular training on data security and privacy and has enforced supplemental safety measures.

Scripps Health Issues More Notification Letters Regarding 2021 Ransomware Attack

On June 1, 2021, Scripps Health based in San Diego informed the HHS’ Office for Civil Rights concerning a ransomware attack that resulted in the potential compromise of the PHI of 147,267 patients. Hackers had acquired access to its system from April 26, 2021 to May 1, 2021, and likely copied files made up of patient information. The attack ended in class action lawsuits and the healthcare company had lost over 113 million.

About a year after the breach of its network, a patient contacted NBC 7. The patient got a notification letter dated March 15, 2021, telling her about the potential compromise of her PHI in the attack, which includes her name, address, birth date, medical insurance data, patient account number, medical record number, and clinical data like diagnosis or treatment details. The patient did not get any notification regarding the ransomware attack before.

NBC 7 called Scripps Health, which affirmed that the manual document assessment just finished, and it was identified that more patient information was potentially breached in the attack, however, did not say how many more patients were impacted.

OCR Announced Financial Penalties for Violations of HIPAA Right of Access

Dental Practitioner Fined $30,000 for Noncompliance with the HIPAA Right of Access

OCR investigated Dr. Donald Brockley D.D.M, who is a solo dental practitioner based in Butler, PA, because of a complaint submitted by a patient who did not get a copy of the requested health records in the time frame set by the HIPAA Privacy Rule. OCR confirmed that Dr. Brockley had violated the HIPAA Right of Access but gave the dental practitioner the chance to present written evidence of any mitigating issues in an August 27, 2019, letter. There was no response given.

OCR then informed Dr. Brockley of its intent to issue a $104,000 financial penalty, and Dr. Brockley sought a hearing with an Administrative Law Judge to dispute the financial charges. On October 8, 2021, the parties submitted a joint proposal to stay proceedings for 60 days, where both parties had an agreement and the case was resolved.

Dr. Brockley agreed to settle the case by paying a $30,000 financial penalty and implementing a corrective action plan that involved updating guidelines and procedures to make sure to comply with the HIPAA Right of Access.

California Psychiatric Medical Services Pays $28,000 Financial Penalty to Resolve HIPAA Right of Access Case

OCR investigated Jacob & Associates, a provider of psychiatric medical services in California, because of a complaint filed by a patient who stated that Jacob & Associates failed to provide a copy of the medical records, which was requested on July 1, 2018. The complainant stated that since 2013 such a request was made every July 1, but the requested records were never provided.

After filing the complaint with OCR, the patient sent again the record request. A complete copy of the requested health records was provided on May 16, 2019 via electronic mail. Nevertheless, before the patient received those records, she needed to go to the practice to fill out a record access form personally. She was additionally asked to pay $25 for the requested copy of records, and at first only received a partial, one-page copy and needed to send another request to get her complete records.

OCR confirmed that Jacob & Associates committed a violation of the HIPAA Right of Access by not delivering prompt access to the patient’s health records, had billed the patient an unfair non-cost-based price, and didn’t have guidelines and procedures regarding the right of patients to obtain their protected health information (PHI).

In the course of the investigation, OCR additionally confirmed that Jacob & Associates had no assigned HIPAA Privacy Officer and lacked the required content for its notice of privacy practices. The case was resolved after Jacob & Associates paid $28,000 and agreed to implement a corrective action plan to deal with all issues of non-compliance.

Arkansas AG Filed Legal Action Against Eastern Ozarks Regional Health for Patient Data Breach

Arkansas Attorney General Leslie Rutledge reported about the legal action filed against Country Medical Services Inc. for mishandling the sensitive personal data and protected health information (PHI) of a large number of individuals. Country Medical Services is the previous operator of Eastern Ozarks Regional Health System located in Cherokee Village. The company owners were Robert Becht from Hartsville, TN, and Theresa Hanson from Deland, FL.

The 40-bed hospital of Eastern Ozarks Regional Health was permanently shut down in December 2004. Country Medical Services managed the hospital for 9 years, but an investigation conducted by the state Department of Health discovered about 3 dozen potential Emergency Medical Treatment and Labor Act violations because the hospital cannot deliver emergency services. In 2004, instead of facing financial fines, the hospital quickly ended its hospital license.

After 6 years, the property was given to the state because the owners did not pay the taxes. The office of the Attorney General assessed the property and discovered boxes of documents in the property that included sensitive personal information. Unauthorized persons had acquired access to the property as well as files kept in the facility seemed to have been looking at, possibly by persons trying to find sensitive personal information. At this point, it is uncertain how many previous patients’ sensitive data were compromised and possibly stolen. Files left unsecured at the facility included a variety of sensitive worker and patient data, such as names, contact details, driver’s license numbers, Social Security numbers, financial account data, medical data, and biometric information.

Based on the legal action, which was filed in Sharp County Circuit Court, the investigation discovered no proof that indicates the hospital had taken any acceptable measures to permanently remove or protect sensitive documents. The inability to protect the confidentiality of patient information violates the Health Insurance Portability and Accountability Act (HIPAA); nevertheless, as is normally the case, legal action is being undertaken for comparable state laws violations. The lawsuit claims the defendants violated the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act (PIPA). Therefore, Country Medical Services and its owners are currently facing civil penalties of as much as $10,000 per violation of the ADTPA and PIPA.

People must have confidence in their healthcare companies and employers to secure their personal data. Eastern Ozarks Regional Health System betrayed that confidence and left patients and workers susceptible to fraud and identity theft. So, the hospital along with its owners are accountable.

80K Records Breached at Central Indiana Orthopedics & Duncan Regional Hospital

Duncan Regional Hospital based in Oklahoma and Central Indiana Orthopedics reported cyberattacks that impacted a total of 170,084 persons.

Duncan Regional Hospital

Duncan Regional Hospital just reported that it suffered a cyberattack last January. It discovered the incident on January 20, 2022 because of suspicious activity noticed in certain parts of its IT systems. The IT team took all systems offline immediately to avert continuing unauthorized access. A third-party computer forensics agency investigated the incident to find out the nature and extent of the security breach.

Duncan Regional Hospital stated the attackers failed to acquire access to its electronic medical record system however got access to sections of the network that keep files with patient information. Those files included patient names, telephone numbers, addresses, birth dates, Social Security numbers, appointment data, for instance, dates of service and healthcare company names, and some treatment data.

The hospital has taken steps to enhance security and avoid more attacks, such as a company-wide password reset and applying new endpoint risk recognition and response tracking software and tougher firewall standards. Impacted persons received notification and offers of free credit monitoring and identity protection services.

The hospital already reported the incident to the HHS’ Office for Civil Rights indicating that 86,379 patients were affected.

Central Indiana Orthopedics

At the beginning of this month, Central Indiana Orthopedics reported it encountered a cyberattack that was discovered on October 16, 2021. Action was promptly taken to protect its system and a third-party computer forensics agency was called in to look into the incident.

The investigation showed that files that unauthorized persons accessed files with patient data, however, there was no report received that indicate the misuse of any patient data. The types of data contained in the files were different from one patient to another and might have contained names, Social Security numbers, addresses, and some medical data.

Central Indiana Orthopedics stated a few steps were undertaken as a response to the breach to strengthen security, avoid other cyberattacks, and mitigate the possibility of future damage. All persons impacted by the incident received notifications and offers of free dark web monitoring,
credit monitoring, and identity theft protection services.

The hospital already reported the incident to the HHS’ Office for Civil Rights indicating that 83,705 persons were affected.

Breach Barometer Report Reveals 2021 Had More Than 50 Million Healthcare Records Breached

Protenus has published its 2022 Breach Barometer Report which reveals that 2021 was a notably awful year for healthcare sector data breaches. There were over 50 million breached healthcare records in 2021.

The report counts healthcare data breach reports submitted to regulators, and data breaches reported via the media, cases not yet disclosed by the breached entity, and data breaches that involve healthcare information at non-HIPAA-regulated entities. Databreaches.net provided the data for the report.

Protenus started publishing yearly Breach Barometer reports in 2016. The number of healthcare data breaches and breached records continue to increase each year. In 2021, it was confirmed that about 50,406,838 people were impacted by healthcare data breaches, increasing by 24% from the prior year. The report included 905 incidents are, which increased by 19% from 2020.

The biggest healthcare data breach of 2021 impacted children’s health plan Florida Healthy Kids Corporation based in Tallahassee, FL. Vulnerabilities in its website were not resolved by its business associate starting 2013 and hackers exploited those vulnerabilities and obtained access to the sensitive information of 3,500,000 people who requested medical insurance from 2013 to 2020.

Hacking incidents went up for the 6th consecutive year. There were 678 breaches traced to hacking incidents involving ransomware, malware, phishing and email incidents that resulted in the exposure or theft of 43,782,811 individual records.

The number of insider incidents dropped but increased in 2020. In 2021, there were 111 insider incidents and 110 incidents in 2019. The incidents increased by 26% in 2020 likely due to the increase of pandemic-related insider curiosity or company detection of impropriety.

There were 32 breaches involving theft impacting about 110,6656 records and 11 incidents of lost or missing devices or documents that contain the records of about 30,922 people. 73 incidents are not classified because of a lack of data.

Healthcare providers are the worst impacted type of HIPAA-covered entity, however business associate data breaches increased by twice the level in 2019. The incidents were 75% hacking-related, 12% insider error, and 1% insider wrongdoing. There were 20.986,509 records breached in those incidents. Protenus states that the average number of breached records in business associate data breaches is greater than other breaches.

The discovery time of a data breach dropped by 30% starting 2020. The average time to discover a breach from when it occurred is now 132 days; nevertheless, it is taking a long time for companies to report data breaches compared to 2020. The average time to report a data breach in 2021 was 118 days, beyond the 60 days set by the HIPAA Breach Notification Rule. It was 85 days in 2020.

The demand for proactive patient privacy tracking is greater than ever. The threats today are a lot more distressing than before and can be through various sources like a random staff snooping or an advanced cybersecurity hacker that acquires access via an employee channel. If a breach destroys patient trust in a company, that’s very hard to recover from.

HC3 Report on Cyberattack Trends and Insights to Enhance Healthcare Cybersecurity

The HHS’ Health Sector Cybersecurity Coordination Center has published a new report called Health Sector Cybersecurity: 2021 – Retrospective and 2022 Look Ahead. The report gives a retrospective view of healthcare cybersecurity in the last 30 years, showing a few of the big cyberattacks to strike the healthcare sector.

In 1989, Biologist Joseph Popp gave 20,000 floppy disks at the Stockholm World Health Organization AIDS conference. When the disks were utilized, malicious code that counted reboots is installed. Upon reaching 90 reboots, there is a ransom note shown that stated the software program lease had ended and a $189 payment was needed to get access to the system again.

The report reveals how adversaries amplified their attacks on the healthcare sector from 2014 to 2017.

  • In 2014, Boston Children’s Hospital experienced a serious Distributed Denial of Service (DDoS) attack.
  • In 2015, there was a big cyber attack on Anthem Inc. where the records of 80 million health plan subscribers had been accessed without authorization.
  • In 2016, Hollywood Presbyterian Medical Center paid a $17,000 ransom after a ransomware attack.
  • In 2017, the WannaCry exploits impacted over 200,000 systems.

In 2019, ransomware began to be widely employed in attacks on healthcare companies with the Ryuk ransomware group as one of the well-known ransomware operators. One of the group’s attacks was done on a managed service provider and impacted about 400 dental clinics. Attacks persisted, and more actors began utilizing ransomware to attack businesses. In 2020, cybercriminals exploited the COVID-19 pandemic and employed COVID-19 baits in their phishing attacks which extended all through 2021. McAfee noticed 375 COVID-themed threats on average per minute in 2020.

2020 had substantial cyberattacks reported by Scripps Health, Accellion, SolarWinds, CaptureRX, and Universal Healthcare Services. Emsisoft reported that $18.6 billion in ransoms had been paid globally to ransomware groups, though it was approximated that the exact total was about $75 billion.

The popular Maze ransomware group de-activated its operation in 2020, however, attacks were conducted by a lot of other cyber actors such as REvil, BlackMatter and Abaddon. In 2021, the Conti ransomware gang conducted a huge ransomware attack on the Health Service Executive in Ireland. The attack affected 54 public hospitals along with others that relied on HSE infrastructure. It took 4 months to restore all online systems.

The report shows that cyberattacks on the healthcare industry have been ongoing for several years and it will continue for years ahead. HC3 advises healthcare companies to continue to enhance their defenses to prevent the most common threats like phishing, ransomware, and malware. Security teams ought to have regular security awareness training for workers, conduct phishing simulation activities to check the efficiency of training, use gateway/mail server filtering, whitelisting, and blacklisting, as well as operationalize indicators of compromise.

It is additionally essential to secure remote access technologies, which are often exploited to obtain systems access. Virtual Private Networks and technologies using the Remote Desktop Protocol must be operationally reduced, services must be switched off if not in use, and records of activity must be preserved and routinely checked.

Vulnerability management is important and must be methodical, extensive, and repeatable, and there should be systems of enforcement. It is essential to keep situational knowledge of appropriate vendor updates and notifications and to create a repeatable assessment, patching, and update deployment processes.

It is essential for healthcare companies to know the importance of what the company is losing — protected health information, which holds a high cost on the black market, and intellectual property, which is frequently desired by foreign nations. Once resources were identified, steps should be taken to make sure that those resources are secured.

Besides employing safety measures to secure against attacks, it is essential to know that there will continue to be a high likelihood of compromise and to get ready for an attack and plan and check the reaction ahead of time to make sure that the business can keep operating.

It is likewise advised that healthcare companies look at comparatively new-ish ways of planning on defense, and take into account that adversaries are currently thinking in relation to increasing the number of victims and are attacking managed service providers and also the supply chain. Healthcare companies must consider how they could stop and abate attacks on third parties.

HC3 states situational awareness will always be important. New threats will come; the tactics, techniques, and procedures of cyber actors will change, and new vulnerabilities will come up. It is essential to stay updated with new threats and vulnerabilities and the way to correct and mitigate them.

It is critical to maintain reliable defense measures and to protect against distributed attacks as well as other channels of compromise. HC3 has mentioned a number of resources in the report that healthcare companies can utilize to create their defenses and prohibit present and upcoming attack methods.

OCR Director Tells HIPAA-Regulated Entities to Reinforce Their Cybersecurity Posture

In a new blog post, Director Lisa J. Pino of the HHS’ Office for Civil Rights urged HIPAA-regulated entities to do something to reinforce their cybersecurity posture in 2022 considering the upsurge in cyberattacks on the healthcare sector.

2021 was a specifically bad year for healthcare providers. The number of healthcare data breach reports reached record levels. 714 healthcare data breaches involving 500 and up records were noted by the HHS’ Office for Civil Rights in 2021 and over 45 million records were exposed.

Most of the breach reports involved hacking and other IT cases that led to the exposure or theft of the healthcare information of above 43 million persons. In 2021, hackers targeted healthcare companies handling the COVID-19 pandemic and carried out a number of attacks that had a strong impact on patient care and prompted canceled surgical procedures, medical assessments, and other services due to IT systems being taken down and network access being deactivated.

Pino additionally noted the critical vulnerability discovered in the logging utility Log4J, which was integrated into a lot of healthcare apps. The vulnerability was identified in December 2021 and cyber attackers and other threat groups were swift to take advantage of it to obtain access to servers and networks for a selection of malicious uses.

The vulnerabilities and data breaches demonstrate how essential it is for healthcare providers to be cautious of risks and take quick action whenever new risks to the integrity, confidentiality, and availability of protected health information (PHI) are determined.

Pino explained OCR investigations and audits have found numerous instances of noncompliance with the risk analysis and risk management demands of the HIPAA Rules. Oftentimes, risk assessments only cover the electronic health record. It is important to do an enterprise-wide risk analysis. Risk management tactics must be extensive in scope – including all electronic protected health information (ePHI) that exists throughout the company – from the software program to connected devices, legacy systems, and other places throughout your network.

OCR’s investigations of data breaches in 2020 revealed several areas where HIPAA-regulated entities have to take action to enhance compliance with the requirements of the HIPAA Security Rule, particularly in the following aspects:

  • Risk analysis
  • Risk management
  • Audit controls
  • Information system activity assessment
  • Security awareness and training
    Authentication

Pino had a number of recommendations, which include reviewing risk management policies and procedures, making sure data are routinely backed up (and examining backups to make sure data recovery is doable), performing routine vulnerability scans, patching and updating applications and operating systems right away, training the employees how to identify phishing scams and other typical attacks, and exercising good cyber hygiene.

CISA and the Office for Civil Rights have made available resources to help safeguard against prevalent threats to ePHI.

Bipartisan Legislation Proposed to Upgrade Health Data Privacy Regulations

Healthcare privacy regulations in the U.S. need an update to usher them into the contemporary age to make certain individually identifiable health data is safeguarded irrespective of how it is gathered and shared. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is now over 20 years old, and although the Department of Health and Human Services (HHS) has recommended upgrades to the HIPAA Privacy Rule that will be finished this 2022, even though the planned HIPAA Privacy Rule modifications are approved, there will still be regulatory breaks that put health information at stake.

The usage of technology for healthcare and health information has developed in a manner that cannot be envisioned when the Privacy Rule was made into law. Health data is currently being compiled by health programs and other systems, and individuals’ sensitive health information is being disclosed with and bought by technology corporations. The HIPAA Privacy and Security Rules presented conditions to safeguard the privacy and security of health data, nevertheless, HIPAA is merely applicable to HIPAA-covered entities – medical care providers, healthcare clearinghouses, and health plans – as well as their business associates. A number of the surfacing technologies today being utilized to document, store, and transfer health information are not protected by HIPAA and its protections and safety measures are not applicable. Additionally, the suggested changes to the HIPAA Privacy Rule will make it less complicated for people to acquire access to their health data and tell covered entities to transmit that data to unregulated personal health programs.

There is new bipartisan legislation released recently that strives to commence the process of determining and closing the present privacy holes connected with surfacing technologies to ensure health information is better secured, such as health data that aren’t presently secured by HIPAA. The Health Data Use and Privacy Commission Act was introduced by Sens. Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) and aspires to establish a new commission that is going to be assigned to analyze present federal and state rules covering health data privacy and make proposals for upgrades to include the present technology landscape.

The opportunity of new technology to enhance patient care looks boundless. Nevertheless, Americans need to have confidence that their personal health information is safeguarded when this technology can reach its 100 % potential, mentioned Dr. Cassidy. It is necessary to upgrade HIPAA for the contemporary day. This law commences this process on a path to be sure it is done properly.

The Comptroller General is assigned with recruiting committee members who need to send their report, findings, and suggestions to Congress and the President in six months. The commission must examine existing privacy regulations and find out their usefulness and limits, any possible risks to individual health privacy and genuine business and policy interests, and the uses for which the disclosing of health data is proper and helpful to individuals.

The commission must report on whether or not more federal laws are needed and, if present privacy rules should be updated, offer ideas on the best strategies to reform, improve, coordinate, unify, or complement existing laws and regulations pertaining to personal health privacy. That advice could include revisions to HIPAA to cover a larger array of entities or new state or federal regulations covering medical information. When updates are suggested, the commission needs to give specifics of the probable costs, burdens, and prospective accidental outcomes, and whether there’s a risk to health results if privacy regulations are too rigid.

The Health Data Use and Privacy Commission Act has attracted support from a couple of medical associations and technology companies, which include the College of Cardiology, National Multiple Sclerosis Society Federation Of American Hospitals, Epic Systems, IBM, and Association Of Clinical Research Organizations.

Due date for Reporting 2021 PHI Breaches Impacting Less Than 500 Persons

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule sets a tough time period on distributing notices to persons whose protected health information (PHI) was compromised or impermissibly disclosed. The utmost time frame is 60 days since discovering the security breach, even though notification letters must be sent “without unreasonable delay.”

Aside from mailing notification letters to persons affected by a data breach, the HIPAA Breach Notification Rule additionally necessitates the Secretary of the Department of Health and Human Services (HHS) to be advised concerning a data breach. The time frame for mailing that notification is based on the number of people impacted by the information breach.

If a data breach is suffered that impacts 500 and up persons, the Secretary of the HHS should be informed with no unreasonable delay also and not later than 60 calendar days right after the discovery of a breach. When all data is not available regarding the breach in 60 days, the HHS must still be notified concerning the breach, and it could be changed at a later date when more details are identified.

If a data breach has affected less than 500 people, HIPAA-regulated entities get more time to submit the breach report to the HHS. N.B. the time period for individual communication continues to be 60 days from the time of discovering the breach, no matter how many persons were impacted.

The deadline for reporting breaches involving the PHI of fewer than 500 people to the HHS is 60 days beginning with the end of the calendar year during which the breach was uncovered. So all PHI breaches found in 2021 that affected the PHI of less than 500 persons needs to be reported to the Secretary of the HHS on or before 11:59:59 p.m. on March 1, 2022. Every breach ought to be reported to the HHS independently using the breach reporting program on the HHS portal.

Numerous HIPAA-regulated entities won’t complete their breach reporting until near the reporting due date, thus the breach reporting site will probably see high amounts of traffic while the deadline approaches, which can likely cause accessibility concerns. It is therefore a good idea to report any breaches earlier than the breach reporting deadline.

You ought to remember that various states have approved laws addressing the submission of data breach reports, and the time period for reporting breaches can be less than those of the HIPAA Breach Notification Rule. In a number of cases, HIPAA-regulated entities are not covered by state breach notification regulations as long as they follow the reporting prerequisites of HIPAA. If they do not comply with the Breach Notification Rule, state attorneys general could choose to investigate, and civil monetary penalties may be enforced for breach of HIPAA or state rules.

February 11, 2022: Deadline for GAO Quick Response Survey on HHS Data Breach Reporting Requirements

The Government Accountability Office (GAO) just introduced a quick response survey involving healthcare providers and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) to get responses about their experiences in sending data breach reports to the Secretary of the Department of Health and Human Services (HHS). The set of questions was at first due to stay available until 4 p.m. EST on Friday, February 4, 2022., however, the deadline is prolonged by one week until February 11, 2022. The survey is being done using Survey Monkey and is accessible on this link https://www.surveymonkey.com/r/GBFQGTP.

Congress asked the GAO to examine the volume of data breach reports submitted to the HHS starting 2015, and the survey wishes to determine the problems if any, encountered by covered entities and business associates while complying with the requirements of the data breach reporting to the HHS. The GAO will additionally find out what the HHS has done to deal with any breach reporting problems and enhance the process of data breach reporting.

Health-ISAC, the American Hospital Association (AHA), and the Health Sector Coordinating Council (HSCC) are distributing the survey on behalf of the GAO. Survey responses will be aggregated before giving them to GAO.

GAO has asked for just one survey to be filled up by every covered entity and business associate. GAO mentioned it won’t attribute particular responses to certain individuals and/or companies when it generates the report, and there is just one individually identifiable information that will be handed to GAO, which is the email address given in the survey together with any individually identifiable information given by the respondents voluntarily in answering open-ended questions.

According to John Riggi, the national advisor for cybersecurity and risk of the AHA, this quick survey is necessary for GAO to do its work and help determine the positive aspects of the HHS Office for Civil Rights audit and investigation procedure, along with the numerous matters of concern stated through the years by victims of cyberattacks on hospitals and health system.

Ex-Employee of South Georgia Medical Center Detained Because of 41K-Record Data Breach

The Hospital Authority of Valdosta and Lowndes County Georgia lately announced a data breach where an old employee of South Georgia Medical Center copied patient information without authorization.

On November 12, 2021, the hospital’s security software program created a notice showing that an employee copied information from the hospital’s systems to a USB drive. As per the investigation, it was confirmed that the downloaded information contained patients’ names, birth dates, and test data. The breach report was recently submitted to the Department of Health and Human Services’ Office for Civil Rights indicating that the incident affected the protected health information (PHI) of 41,692 persons.

The employee had been given access to patient information so as to accomplish work responsibilities, however, no permission was granted to copy patient information and take it away from the hospital. The worker quit work at the healthcare facility on November 11, 2021.

South Georgia Medical Center stated no information was deleted from its computer systems and the stolen files had been retrieved. The report of this data theft incident has been forwarded to law enforcement, therefore the Lowndes County Sheriff’s Office conducted an investigation of the breach and the retrieved files.

The CEO of South Georgia Medical Center, Ronald Dean, stated that it is believed that no copied data was misused in whatever way, and no financial information nor Social Security numbers were taken from the hospital’s system. Nevertheless, those who had their PHI removed from the hospital had been provided with membership to a credit monitoring and identity theft restoration service for free.

According to the sheriff’s office, as published in the Valdosta Daily Times, a 43-year-old ex-employee of South Georgia Medical Center was accused of felony computer invasion of privacy and felony computer theft in connection with the incident. The reason why she copied the information is not clear.

South Georgia Medical Center stated modifications had been applied after the incident to strengthen security, which includes restricting the usage of USB drives and giving additional training to the employees.

February 4, 2022: Last Day for Sending GAO the Reviews on HHS Data Breach Reporting Requirements

The Government Accountability Office (GAO) has conducted a rapid response survey of healthcare providers and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA) to get responses on their experiences submitting data breach reports to the Secretary of the Department of Health and Human Services (HHS). The questionnaire will be open on or before 4 p.m. EST on February 4, 2022. Survey Monkey is conducting the survey .

Congress asked the GAO to evaluate the number of data breach reports submitted to the HHS starting 2015, and the survey seeks to find out a few of the difficulties, if any, experienced by covered entities and business associates in satisfying the data breach reporting demands of the HHS. The GAO will additionally figure out what the HHS has done to deal with any breach reporting problems and enhance the process of data breach reporting.

The Health-ISAC, Health Sector Coordinating Council (HSCC) and the American Hospital Association (AHA) are distributing the survey on behalf of the GAO, and the aggregated responses will be presented to GAO.

GAO has required just one survey to be accomplished by an individual covered entity and business associate. GAO stated it will not attribute certain feedback to specific individuals and/or companies when it generates the report, and the only individually identifiable information that will be sent to GAO is the email address used in the survey together with any individually identifiable data voluntarily given by the respondents in the open-ended questions.

This is a crucial opportunity to notify the work of the GAO and help determine the advantages of, together with the various concerns over the years by cyberattack victims of hospitals and health systems, concerning the ensuing HHS Office for Civil Rights audit and investigation process, according to John Riggi, who is the AHA national advisor for cybersecurity and risk.

Excellus Class Action Data Breach Lawsuit Reached Settlement

Excellus Health Plan Inc., its affiliated firms, and the Blue Cross Blue Shield Association (BCBSA) have arrived at a settlement of a class-action lawsuit that was filed with regards to a cyberattack uncovered in 2015. The attack affected the protected health information (PHI) and personally identifiable information (PII) of over 10 million subscribers, members, insureds, patients, and clients.

A cybersecurity company that was employed to evaluate Excellus’s IT system discovered the cyberattack on August 5, 2015. Excellus and cybersecurity company Mandiant conducted an investigation and confirmed that hackers had initially acquired access to its networks on or prior to December 23, 2013. The proof was found that showed the hackers were active in its system up to Aug. 18, 2014, after which no footprints of activity were discovered; nevertheless, the malware was installed which allowed the attackers to access its system up to May 11, 2015. That time, something occurred that stopped the hackers from getting access to its system. Excellus took 17 months from the preliminary attack to identify the security breach.

The HHS’ Office for Civil Rights (OCR) started to investigate the data breach and found a number of potential HIPAA Rules violations, which include security problems and the impermissible disclosure of PHI. In January 2021, Excellus decided to pay $5.1 million in financial penalties to resolve the HIPAA violations and to carry out a corrective action plan to deal with the security problems and the claimed HIPAA non-compliance concerns.

The lawsuit was filed against Excellus, Lifetime Benefit Solutions Inc., Lifetime Healthcare Inc., MedAmerica Inc., Genesee Region Home Care Association Inc., the Blue Cross Blue Shield Association, and Univera Healthcare, on behalf of all people impacted by the data breach. At first, the lawsuit wanted monetary compensation and injunctive relief; but for a number of legal reasons, the court could not approve classes requesting monetary compensation, and only approved a class for injunctive relief.

The plaintiffs claimed the defendants were unable to carry out proper security measures to assure the privacy of PII and PHI, did not discover the security breach within 17 months, and at the time the breach was discovered, waited a long time to alert impacted persons and then did not give enough details regarding how victims can keep themselves from damage. The lawsuit demanded the Excellus defendants and BCBSA to alter their data security strategies with regard to PII and PHI and to spend money on data security. The Excellus defendants and BCBSA dismissed any wrongdoing and, thus far, no court has found the defendants had done anything inappropriate.

The Excellus defendants and BCBSA have consented to pay for acceptable attorneys’ charges, costs, and expenditures as authorized by the courts. The expenses consist of up to $3.3 million to take care of attorneys’ charges and the compensation of expenses of at most $1,000,000. Service awards of as much as $7,500 will likewise be given to class representatives.

Improvements will be made to company guidelines concerning the protection of PII and PHI which will include the 3 years from the final settlement or the two years following the implemented changes. The data security requirements specified in the settlement call for the Excellus defendants and BCBSA to:

  • Raise and keep a minimum data security budget
  • Create a plan and engage vendors to make sure records comprising PII or PHI are disposed of in a year from the initial retention period
  • Take action to enhance the security of its system, which include using tools for uncovering suspicious activity, authenticating users, reacting to and controlling security occurrences, and documenting storage
  • Engage in a comprehensive data archiving plan and give plaintiffs documentation verifying the extent, range, and exhaustiveness of the archiving work
  • Give the plaintiffs copies of files given to OCR that show compliance with the OCR settlement deal and corrective action plan
  • Make a yearly statement confirming compliance with every facet of the items in the settlement deal, which include the magnitude to which it was not possible to follow any of the requirements

In case the settlement is approved by the court – a hearing is slated for April 13, 2022 – all plaintiffs and class members need to let go of all claims versus the Excellus defendants and BCBSA for injunctive and declaratory relief. With the settlement, no claim against the Excellus defendants and BCBSA for monetary compensation will be released.

Class Action Lawsuit Against EHR Vendor Over 320,000-Record Data Breach

QRS, a healthcare technology services company and EHR vendor based in Tennessee, is facing a class-action lawsuit because of a cyberattack in August 2021 that resulted in the exposure and potential theft of the protected health information (PHI) of about 320,000 patients.

The data breach investigation confirmed that a hacker had acquired access to one dedicated patient portal server between August 23 and August 26, 2021, and read and likely took files that contain patients’ PHI. Sensitive information kept on the server contained patients’ names, birth dates, addresses, usernames, medical data, and Social Security numbers. QRS started mailing notification letters to affected people in late October and provided identity theft protection services to those who had their Social Security number compromised.

Matthew Tincher, a resident in Frankfurt, KY, filed a class action complaint in the U.S. District Court for the Eastern District of Tennessee against QRS on January 3, 2022. Allegedly, QRS was at fault for not being able to reasonably secure, keep track of, and preserve the PHI and personally identifiable information (PII) saved on its patient website.

Due to those failures, the lawsuit claims Tincher and class members

  • have sustained actual, concrete, and impending injury, which include present injury and damages associated with identity theft, loss or diminished value of their PHI and PII
  • have suffered out-of-pocket expenditures from trying to remedy the breach of their sensitive information
  • had to spend time taking care of the outcomes of the unauthorized data access
  • they additionally face a continued and greater risk to their PHI and PII, which were unencrypted and stay available to unauthorized parties to access and abuse.

The lawsuit additionally takes issue with the speed at which QRS released breach notification letters, which were given about 2 months after discovering the breach. In those two months, the plaintiffs and class embers were not aware they were placed at substantial risk of identity theft, fraudulence, and personal, financial, and social harm.

The lawsuit states QRS had an obligation to make sure the PHI and PII in its patient website were properly protected, and the breach of its responsibilities to secure that data amounts to negligence and/or recklessness, which is a violation of federal and state legislation. The lawsuit alleges QRS signed business associate agreements (BAAs) with its healthcare provider clients, therefore was informed or should have been advised of its duties to ensure PHI was secured against cyberattacks. The lawsuit likewise lists cybersecurity measures proposed by the Cybersecurity and Infrastructure Security Agency (CISA) which should be enforced in that regard and states that QRS should have known the substantial risk of being attacked because of the large number of healthcare data breaches that were reported recently.

Lawsuits are usually filed versus healthcare providers because of data breaches that exposed sensitive information. Whether the legal action succeeds usually is determined by whether the plaintiffs could show they have endured an actual injury as a direct result of the data breach. Tincher says to have been informed regarding the breach on October 22, 2021, and within 3 days was the victim of real identity theft, and that it is very likely than not that his sensitive details were exfiltrated from the QRS patient portal during the data breach.

The lawsuit claims the total damages sustained by the plaintiff and class members go over the minimum $5 million jurisdictional sum mandated by the Court. The Court has control over the defendant since QRS operates and is integrated with the district. The plaintiff and class members desire unspecified damages, a jury trial, and injunctive and equitable relief.

HIPAA Violation Penalties in 2021

Two HIPAA enforcement actions in 2021 were not because of HIPAA Right of Acess violations.

1. Excellus Health Plan paid $5,100,000 as settlement

Excellus Health Plan based in Rochester, New York is a member of the Blue Cross Blue Shield Association. It was investigated because of a potential issue in HIPAA compliance after a 2015 data breach involving 9,358,891 records was reported. That data breach was one of 3 mega data breaches that health plans reported that year. Anthem Inc and Premera Blue Cross reported other two mega data breaches. The two had resolved their cases by paying big penalties.

Excellus found out about the breach in August 2015. Investigation of the breach confirmed that hackers got access to its networks from December 23, 2013 to May 11, 2015. Excellus reported the breach to OCR on September 9, 2015. The hackers installed malware enabling them to exfiltrate the information of about 7 million Excellus Health Plan members and roughly 2.5 million Lifetime Healthcare members. The data included names, contact details, birth dates, Social Security numbers, claims information, financial account details, health plan ID numbers, and clinical treatment data.

OCR’s investigation revealed several HIPAA violations, which included

  • the failure to perform a correct and complete company-wide risk analysis
  • the failure to minimize ePHI risks and vulnerabilities to an acceptable and proper level
  • an insufficiency of technical guidelines and procedures to restrict access to data and software programs to authorized individuals

Excellus decided to resolve the case and compensated a $5,100,000 fine and agreed to employ a complete Corrective Action Plan to deal with all sections of non-compliance.

2. Peachstate Health Management LLC, dba AEON Clinical Laboratories paid $25,000 as settlement

The enforcement action versus Peachstate Health Management is well known since this was the very first OCR investigation that ended in a financial penalty for HIPAA violations discovered in a firm that wasn’t the first issue of the investigation.

OCR started an investigation following the receipt of a report from the Department of Veteran Affairs in 2015 regarding a data breach of Authentidate Holding Corporation (AHC), its business associate. AHC handled the VA’s Telehealth Services Program and experienced a data breach. When investigating, OCR found out that on January 27, 2016, AHC had gotten into a reverse merger with Peachstate Health Management, which resulted in Peachstate being obtained by AHC. Peachstate is a CLIA-accredited lab that offers clinical and genetic testing services by means of its publicly traded parent firm, AEON Global Health Corporation (AGHC).

OCR subsequently started an investigation of Peachstate to evaluate its HIPAA Privacy and Security Rule compliance and discovered several HIPAA Rules violations. OCR discovered several HIPAA Security Rule problems, which include risk assessment, risk management, audit control problems, along with the failure to have HIPAA Security Rule policies and procedures documentation. AEON resolved the case by paying $25,000 and agreeing to a corrective action plan to mend its HIPAA violations.

2021 HIPAA Violation Cases and Penalties

In 2020, the Department of Health and Human Services’ Office for Civil Rights (OCR) resolved 19 HIPAA violation cases. There were more financial penalties issued in 2020 compared to previous years. The OCR received $13,554,900 as payment to resolve HIPAA violation cases. In 2021, OCR announced 14 enforcement actions, which shows a small decrease in the number of HIPAA violation settlements and penalties. In spite of this, the number of HIPAA fines in 2021 is the second-highest of any year ever since OCR began enforcing HIPAA Rules compliance.

Although the number of penalties remains high in 2021, there was a big decrease in fine amounts which was $5,982,150. $5,100,000 of that amount was from only one enforcement action. The majority of the penalties involved HIPAA Right of Access violations, which were investigated due to complaints submitted by patients who did not receive prompt access to their health care records. They were not penalties for multiple HIPAA Rules violations that affected big numbers of people. The $5,100,000 penalty paid by Excellus Health Plan was very big because there were several HIPAA Rules violations, covering several years, that resulted in a breach affecting the ePHI of 9,358,891 people.

Fines for HIPAA Right of Access Noncompliance

At the end of 2019, OCR introduced a new HIPAA enforcement initiative for non-compliance with the Right of Access standard of the HIPAA Privacy Rule. From then on, OCR has been strongly enforcing HIPAA Right of Access compliance. Since December 2021, OCR has issued 25 penalties for violations of the HIPAA Right of Access amounting to $1,564,650. The penalties vary from $3,500 to $200,000. 24 settlements and one civil monetary penalty, with a lot of the penalties issued on small healthcare companies.

The HIPAA Right of Access standard (45 C.F.R. § 164.524(a)) offers patients the right to access, check, and get a copy of their own protected health information (PHI) in a specified file set. Upon receipt of a request from a person or their own representative, the documents should be given in 30 days. A fair, cost-based price can be billed for giving a copy of the requested documents. A person’s request for access to his/her health records could be refused, however just in very few cases.

OCR checks complaints from people who assert they were refused access to their medical records, did not get records in 30 days or were billed high amounts for copies of their documents. The financial penalties enforced by OCR in 2020 for violations of the HIPAA Right of Access varied from $15,000 to $160,000 and were a result of refusals to give copies of documents or long delays. In numerous instances, records were just presented after OCR’s intervention.

2021 HIPAA Right of Access Enforcement Actions

1. Banner Health paid $200,000 as settlement
2. Rainrock Treatment Center LLC (dba monte Nido Rainrock) paid $160,000 as settlement
3. Dr. Robert Glaser paid $100,000 as Civil Monetary Penalty
4. Children’s Hospital & Medical Center paid $80,000 as settlement
5. Renown Health paid $75,000 as settlement
6. Sharpe Healthcare paid $70,000 as settlement
7. Arbour Hospital paid $65,000 as settlement
8. Advanced Spine & Pain Management paid $32,150 as settlement
9. Denver Retina Center paid $30,000 as settlement
10. Village Plastic Surgery paid $30,000 as settlement
11. Wake Health Medical Group paid $10,000 as settlement

Other HIPAA Violation Penalties in 2021

Only two HIPAA enforcement actions in 2021 were not caused by HIPAA Right of Acess violations.

1. Excellus Health Plan paid $5,100,000 as settlement
2. AEON Clinical Laboratories (Peachstate) paid $25,000 as settlement