ePHI deleted: OCR settles another HIPAA investigation

Jan. 9, 2025
More than one Security Rule failure settled.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) concluded another HIPAA violation investigation, settling $337,750 with USR Holdings, LLC.

Nearly 3,000 patients’ electronic protected health information (ePHI) was retrieved by an “unauthorized third party/parties who were able to delete ePHI in the database,” according to an HHS release.

Upon conducting their investigation, OCR found the organization was failing to “conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; to regularly review its information system activity; and to establish and implement procedures to create and maintain retrievable exact copies of ePHI.”

USR will take several steps recommended by OCR to resolve and prevent future breaches.  

HHS release

ID 46737298 © Mark Adams | Dreamstime.com
dreamstime_xxl_46737298
ID 354150902 © Charinporn Thayot | Dreamstime.com
dreamstime_xxl_354150902
ID 175151352 © Andrii Zastrozhnov | Dreamstime.com
dreamstime_xxl_175151352
ID 59932068 © Monkey Business Images | Dreamstime.com
dreamstime_xxl_59932068