2019 breaching incident results in $3,000,000 settlement
A phishing incident resulted in the breach of more than 114,000 patients’ electronic protected health information (ePHI), according to an announcement from the U.S. Department of Health and Human Services (HHS).
The Office for Civil Rights (OCR) settled with Solara Medical Supplies (Solara) for $3,000,000 over multiple potential HIPAA Security Rule and Breach Notification Rule violations.
The phishing incident happened in 2019 when eight Solara employees’ email accounts were compromised by an “unauthorized third party.” From April-June 2019, 114,007 individuals’ ePHI was accessed. Another breach was reported to OCR in January 2020 “when Solara reported that it had sent 1,531 breach notification letters to the wrong mailing addresses.”
OCR conducted an investigation concluding the following failures:
· Failure to perform a thorough risk analysis “to identify the potential risks and vulnerabilities to ePHI in Solara's systems.”
· Failure to apply “security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level.”
· Failure to report the breaches in a timely manner.
In addition to the $3,000,000 settlement, Solara will execute a “a corrective action plan that will be monitored by OCR for two years.”
