Blog

5 Recent HIPAA Breaches (And How to Make Sure You’re Not Next)

A recent wave of HIPAA security breaches has sent a clear message to the healthcare industry: regardless of a covered entity’s size or presence, the reputational and financial risks associated with any form of non-compliance are simply too big to ignore. And with the number of cybersecurity incidents reported to the OCR surging by almost 40% since 2017, the likelihood that non-compliance will be discovered and punished is only growing over time. 

These breaches have affected entities of all sizes, with causes ranging from weak cybersecurity protocols to active misuse of patient data. But the lesson from each story is the same: healthcare organizations must act now to ensure they are fully HIPAA compliant and protect themselves and their patients from the ever-escalating threat of cyber-attacks. 

5 Recent HIPAA Security Breaches & Settlements 

1. iHealth Solutions: $75,000 in Fines & Corrective Actions 

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently settled with iHealth Solutions (also known as Advantum Health) over an alleged HIPAA violation.  

iHealth, a healthcare service provider, was fined $75,000 in June 2023 for a data breach in which the protected health information of 267 individuals was exposed due to an unsecured server. The fact this affected a relatively small number of patients underlines a key lesson from the debacle: the OCR is committed to enforcing compliance, regardless of the size of your organization or the scope of the damage caused. 

As part of the settlement, iHealth must implement a corrective action plan to enhance the security of electronic protected health information (ePHI). 

2. Kaiser Permanente: $49 million in Fines 

Kaiser Foundation Health Plan, Inc. and Kaiser Foundation Hospitals, California’s largest healthcare provider, reached a $49 million settlement with the state attorney in September.  

While the investigation began looking at the improper disposal of medical waste, it was soon discovered that the dumpsters also held more than 10,000 paper records containing sensitive information about 7,700 patients. 

As a result, Kaiser was forced to hire a third-party consultant to conduct over 1,100 trash audits and has updated its waste disposal procedures. The settlement includes $37.5 million in civil penalties, $4.8 million in legal fees, and $4.9 million for environmental projects. An additional $1.75 million in penalties is possible if Kaiser doesn’t invest $3.5 million in improving compliance at its Californian facilities.  

 3. L.A. Care Health Plan: $1.3 Million in Fines

The Local Initiative Health Authority for Los Angeles County, known as L.A. Care Health Plan, has reached a settlement with the OCR to resolve multiple HIPAA Privacy and Security Rule violations. L.A. Care Health Plan, the largest publicly operated health plan in the United States with over 2.7 million members, will pay a penalty of $1,300,000 and implement a comprehensive corrective action plan. 

OCR conducted two separate investigations into L.A. Care Health Plan’s HIPAA compliance. The first investigation was prompted by a media report regarding unauthorized disclosures of protected health information (PHI) through its member portal. They found the cause to be a manual processor error. The second investigation followed a data breach report involving the PHI of 1,498 members and was due to a mailing error that led to members receiving the I.D. cards of other health plan members. 

OCR found multiple instances of non-compliance with HIPAA, identifying six potential HIPAA violations during its investigation. L.A. Care Health Plan agreed to pay the penalty and adopt corrective actions by conducting a security analysis of the entire organization.

4. Maximus: $15 Million+ in Fines

Reston-based Maximus Inc., a government services contractor, recently disclosed a data breach due to hackers exploiting a zero-day vulnerability in Progress Software’s MOVEit Transfer solution in May 2023. 

The breach exposed PHI of approximately 8 to 11 million individuals, with the Clop ransomware group responsible. Maximus has launched a forensic investigation to assess the scope of the breach, with the review still ongoing. 

The exact impact of the breach remains uncertain, and Maximus expects several more weeks for the review process to conclude. In response, Maximus will notify affected customers and individuals. Those affected will receive 24 months of complimentary credit monitoring and identity theft protection services. For the quarter ending June 30, 2023, Maximus has incurred expenses of $15 million related to the data breach, with more expected. 

5. Managed Care of North America: Reputational Damage

In early 2023, Managed Care of North America (MCNA), a dental administrator that provides services across eight states, suffered a major healthcare data breach.  

Lockbit, a ransomware group, claimed responsibility for breaching and leaking the PHI of approximately 8.9 million people, including patients, parents, guardians, and guarantors. The group made a $10 million ransom demand. 

MCNA is taking corrective actions to remediate the situation and strengthen its cybersecurity program to avoid future incidents. Although it’s not evident that they had to pay any significant fines, the reputational damage and patient mistrust will impact the organization in the long term. 

MCNA responded to the data breach by taking measures to rectify the situation and bolster its cybersecurity to avert future breaches. 

Could You Be Next? How to Achieve HIPAA Compliance 

To avoid becoming the next statistic, organizations must proactively strengthen their defenses to address compliance gaps that many healthcare entities, like the ones above, struggle with.  

This includes a lack of adequate cybersecurity procedures to shield from breaches and ransomware, insufficient staff training on handling PHI/ePHI, and more (read our blog for 5 things you need to know for HIPAA compliance). 

You can take the proper steps toward protecting your organization by completing three critical actions to protect your entity and PHI:

1. Year-Round Compliance Audits 

Year-round HIPAA compliance is the linchpin of any robust data security strategy. Ensuring adherence to HIPAA regulations is not a one-time effort but an ongoing commitment. It demands a comprehensive approach involving continuous employee training, regular risk assessments, and vigilant monitoring of systems and practices. 

Compliance should be ingrained into the organizational culture, where every staff member understands their role in maintaining the security of patient data. 

2. Meeting the HIPAA SRA Deadline 

The HIPAA Security Risk Assessment (SRA) deadline is non-negotiable, and meeting it is fundamental to compliance. It’s a comprehensive evaluation of the organization’s security policies, procedures, and systems.  

Ensuring this assessment is up-to-date, accurate, and thorough is not just a regulatory requirement but a crucial tool for identifying and mitigating security risks. Missing this deadline can result in significant penalties and expose an organization to potential vulnerabilities that could lead to breaches. Making the SRA a top priority is paramount. 

3. Consistent Remediation 

Even with the most diligent preventive measures, vulnerabilities may surface. This is where consistent remediation comes into play. It involves swiftly addressing issues as they arise, whether through proactive risk management or in response to incidents.  

Establishing a well-defined process for identifying, reporting, and remediating security lapses ensures that potential breaches are nipped in the bud. Consistency addressing vulnerabilities is key to minimizing their impact and maintaining patient trust. 

Conclusion: Start Your HIPAA Assessment Today 

The tales of recent HIPAA breaches serve as cautionary reminders of the stakes involved in compliance. But the key takeaway is not just the awareness of these incidents; it’s the actionable insights they provide.  

To steer clear of the ominous title of “the next HIPAA breach,” organizations must heed the call for year-round compliance, consistent remediation, and meeting the SRA deadline before it’s too late.  

But many organizations lack the in-house expertise to navigate the complex SRA process with confidence – which is why so many turn to HIPAA One®, the automated compliance solution supported by assessors that will guide you through the entire assessment process. 

About the Author
Avatar photo

Scott Mattila

Linkedin
CSO, Intraprise Health
Scott Mattila is the Chief Security Officer at Intraprise Health. He has held leadership positions at some of the country’s most prestigious institutions, and is currently an adjunct professor and serves on the Dean's advisory board at Duquesne University's Rangos School of Health Science. See full bio