Tag Archives: PHI

Cardiology Group Hard Drive Stolen

Denton Heart Group, located throughout Dallas, has notified 21,665 patients that their protected health information has been compromised as a result of the theft of a hard drive from a locked closet. The hard drive that was in the closet contained the group’s backup data from the practice’s electronic health system—which included apparently of all … Continue Reading

Vanderbilt University Medical Center PHI Breached by Patient Transporters

Vanderbilt University Medical Center (VUMC) has announced that it will be sending breach notification letters to over 3,000 patients as a result of unauthorized access to PHI by two patient transporters. According to the announcement, VUMC audited its medical records (as it is required to do by  HIPAA), and found that two individuals who worked … Continue Reading

Report Summarizes Healthcare Data Breaches in January 2017

Health care data breaches are not slowing. According to a report issued by Protenus, in conjunction with www.databreaches.net, the summary of healthcare data breaches in 2017 continues where 2016 left off. In January 2017, there were 31 data breaches reported to the Office for Civil Rights. The breaches resulted in the compromise of 388,307 patient … Continue Reading

Three-Month Delay Means Health Network Must Pay

A delay in reporting a HIPAA violation can result in a significant monetary penalty. That was the message sent by the Office for Civil Rights (OCR), which recently announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information (PHI). According to the OCR, Presence Health (a large … Continue Reading

ONC and OCR Issue Joint Fact Sheet on Use of PHI for Public Health Activities

Whenever fact sheets or other guidance is issued by either the Office of the National Coordinator for Health Information Technology (ONC) or the Office for Civil Rights (OCR), it helps gain insight into the thinking of the regulators so we watch it closely. But when the ONC and OCR issues joint guidance, it is hitting … Continue Reading

Three Former Warner Chilcott District Managers Prosecuted for HIPAA Violations

The United States Attorney’s Office for the District of Massachusetts recently announced that three former district managers of the pharmaceutical firm Warner Chilcott have been sentenced for violating the Health Insurance Portability and Accountability Act (HIPAA) and committing healthcare fraud. The allegations include that the district managers directed certain sales representatives to fill out prior … Continue Reading

Central Ohio Urology Group Notifies 300,000 Patients of Breach

Approximately 300,000 patients of Central Ohio Urology Group have been notified that their protected health information has been stolen and posted online. Although the actual date of the hacking has not been released, the records were posted online on August 2, 1016. The stolen data posted online included names, addresses, telephone numbers, email addresses, dates … Continue Reading

OCR Releases HIPAA Guidance on Cloud Computing

On October 6, 2016, the Department of Health and Human Services Office for Civil Rights (OCR) released HIPAA guidance on cloud computing (Guidance). The Guidance is intended to help covered entities and business associates understand their HIPAA obligations in cloud computing arrangements, and clarify the HIPAA obligations of cloud service providers (CSPs). The Guidance notes … Continue Reading

OCR issues audit protocol and targets over 800 entities—business associates too

The Office for Civil Rights (OCR) has issued its revamped audit protocol for its second phase of auditing covered entities and business associates’ compliance with the HIPAA Privacy, Security and Breach Notification Rules. The lengthy audit protocol is posted on the OCR website. It provides general instructions, and then cites each statutory section of the … Continue Reading

Class action suit filed against 21st Century Oncology for data breach

We previously reported [view related post] that 21st Century Oncology had suffered a data breach and notified 2.2 million patients that it had been the victim of a hacking that exposed the names, Social Security numbers, physicians’ names, diagnosis information, and insurance information of its patients. Although the intrusion occurred in October 2015, 21st Century … Continue Reading

HHS/OCR releases guidance for mobile apps and health information exchange and “fact sheets”

The Office for Civil Rights has provided additional educational materials for app developers through the app developers portal that it developed last fall. The new material is intended to assist healthcare entities and software developers to learn from different scenarios that explain when HIPAA applies to mobile health apps and when it doesn’t. In particular, … Continue Reading

Lincare, Inc. ordered to pay civil monetary fines for HIPAA violations

In an unusual scenario, in fact, only the second time in history, the Office for Civil Rights (OCR) was successful before an Administrative Law Judge (ALJ) in obtaining an order for the payment of civil monetary fines as a result of HIPAA violations. The OCR assessed a penalty of $240,000 against Lincare Holdings, Inc. (Lincare) … Continue Reading

Eight District Attorneys in Oklahoma sued for wrongfully disclosing personal information in court filings

Generally, court filings are public records unless sealed from public access by a judge. Vast amounts of personal information contained in public records can be, and are, accessed by criminals in order to obtain personal information of individuals, which can be aggregated with other information, to perpetrate fraud and identity theft. For this reason, most … Continue Reading

Class action suit dismissed against Georgia Secretary of State for data breach

We previously reported that the Georgia Secretary of State’s office experienced a massive data breach in October, and didn’t find out about it until November. The breach affected approximately 6 million Georgian voters, and included their names, addresses, dates of birth, driver’s license numbers and Social Security numbers. Following the data breach and notification to … Continue Reading

Centene announces search for missing hard drives containing PHI of 950,000 individuals

Centene Corporation, a health insurer headquartered in St. Louis, announced on January 25, in a press release that it is undertaking an, “ongoing comprehensive internal search for six hard drives that are unaccounted for in its inventory of information technology (IT) assets.” The press release states that the hard drives contained the names, addresses, dates of … Continue Reading

HHS issues new guidance on individual access to PHI under HIPAA

On January 7, 2015, HHS issued new guidance (Guidance) regarding an individual’s right to access his or her health information under HIPAA’s Privacy Rule. The Guidance emphasizes that HIPAA, while protecting the privacy and confidentiality of individuals’ health information, also recognizes the importance of providing individuals with access to their health information. The Guidance reviews … Continue Reading

Lahey Hospital agrees to pay a whopping $850,000 to OCR for stolen laptop

Just before Thanksgiving, the Office for Civil Rights (OCR) announced that Lahey Hospital and Medical Center (Lahey) has agreed to pay $850,000 in fines and penalties to the OCR and enter into a resolution agreement following the self-disclosure that a laptop containing CT scans was stolen from Lahey in October of 2011. Surprisingly, the fine … Continue Reading

Triple-S settles HIPAA violations for $3.5M

Triple-S Management Corp., an insurance holding company based in San Juan, Puerto Rico, has agreed to settle an investigation of HIPAA violations by the Office for Civil Rights (OCR) for $3.5 million. According to the OCR press release dated November 30, Triple-S, formerly known as American Health Medicare Inc., will pay the fine and “adopt … Continue Reading

Former hospital employee convicted and sentenced for HIPAA violations

The US Attorney’s Office for the Eastern District of Texas recently announced that a former employee of an East Texas hospital has been sentenced to 18 months in federal prison for criminal HIPAA violations. Although we frequently report on any civil penalties imposed by the Office for Civil Rights of the Department of Health and … Continue Reading
LexBlog