HHS announces ‘record year for HIPAA enforcement’

The US Department of Health and Human Services (HHS) has reported an “all-time record year” in healthcare breach enforcement activity, with organizations paying out more than $28 million in settlement fees in 2018.

Last year, the HHS Office for Civil Rights (OCR) – the unit tasked with enforcing the HIPAA healthcare privacy legislation – settled 10 cases and secured one judgement.

Together, these cases resulted in US healthcare providers paying out $28.7 million, up on the $19 million reported in 2017 and surpassing the previous record of $23.5 million in 2016.

The record HIPAA-related settlement figure in 2018 was driven primarily by a high-profile data security incident involving Anthem, which resulted in the personally identifiable information of nearly 79 million patients being exposed.

In October, the US health insurance provider agreed to pay a whopping $16 million and introduce “substantial corrective action” following a series of cyber-attacks that led to the largest US health data breach in history.

2018 HIPAA enforcement settlements

Other multimillion OCR settlements in 2018 related to data security incidents at Fresenius Medical Care ($3.5 million) and Cottage Health ($3 million).

The sole judgement involved the University of Texas MD Anderson Cancer Center, which was ordered to pay $4.3 million following three separate data breaches in 2012 and 2013.

These incidents involved the theft of an unencrypted laptop and the loss of two unencrypted USB thumb drives containing the clear-text healthcare information of more than 33,500 individuals.

“OCR’s investigation found that MD Anderson had written encryption policies going back to 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI [electronic protected healthcare information],” the OCR said in its annual review.

“Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to encrypt ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013.”

This particular judgement is under appeal with the HHS Departmental Appeals Board.

As required by the US HITECH Act, all breaches of unsecured health information affecting 500 individuals or more must be publicly disclosed in the US.

This year, Managed Health Services (MHS) of Indiana had the dubious honor of being the first healthcare organization to be listed on the so-called ‘HIPAA Wall of Shame’ in 2019.

As previously reported by The Daily Swig, the protected healthcare information of more than 30,000 MHS patients may have been compromised following a phishing attack against partner company, LCP Transportation.