October 1, 2020. Yesterday, September 30, the New York State Attorney General, Letitia James, announced a multistate settlement of $39.5 million by Anthem for its breach of protected health information (PHI) of 78.8 million customers that began in February 2014 and was disclosed in February 2015. The Announcement stated that Anthem previously settled a $115 million class action that paid “for additional credit monitoring, cash payments of up to $50 per individual breached, and reimbursement for out-of-pocket losses for affected customers.” Also, two years ago in October 2018, Anthem paid $16 million to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) and was required to implement a Corrective Action Plan to resolve the HIPAA breach of PHI.
In an unusual flurry of activity, OCR resolved eight (8) HIPAA violations in the second half of September 2020 for a resolution amount total of $10,786,500:
- September 15, 2020. Five HIPAA Investigations Pertaining to the Patient or Personal Representative’s Right of Access to PHI Initiative, with resolution settlement amounts in parentheses, totaling $136,500.
- Housing Works, Inc. ($38,000). Corrective Action: Review and Revise Policies and Procedures for Individual Access to PHI; Provide Privacy Training to Workforce Members on Individual Access to PHI; Submit to HHS Every 90 Days a List of Received Requests for Access to PHI.
- All Inclusive Medical Services Inc. (“AIMS”) ($15,000). Corrective Action: Implement and Distribute Written Policies and Procedures, including Minimum Content: (a) Right to Notice, (b) Content of Notice, (c) Provision of Notice, (d) Right of Access, (e) Timely Action by Covered Entity, (f) Time and Manner of Access, (g) Fees, and (h) Documentation; Mitigate complaint.
- Beth Israel Lahey Health Behavioral Services (“BILHBS”) ($70,000). Corrective Action: Implement and Distribute Written Policies and Procedures; Train Workforce Members Responsible for Receiving or Fulfilling PHI Access Requests.
- Patricia King MD & Associates ($3,500). Corrective Action: Review and Revise Policies and Procedures for Individual Access to PHI; Provide Privacy Training on Individual Access to PHI; Mitigate the Complaint.
- Wise Psychiatry, PC ($10,000). Corrective Action: Distribution and Training on Policies and Procedures Regarding Timely Response to Patients’ Requests for Records.
- September 21, 2020. Athens Orthopedic Clinic PA “Athens Orthopedic”) resolves systematic noncompliance with HIPAA Rules by paying OCR a settlement of $1.5 million and adopting a Corrective Action Plan.
- “On June 26, 2016, a journalist notified Athens Orthopedic that ‘a database of patient records’ suspected to belong to Athens Orthopedic was posted online for sale. On June 28, 2016, a hacker group contacted Athens Orthopedic by email and demanded money in return for a complete copy of the database it stole without further sale or further disclosure. It was determined through computer forensic analysis that the hacker had obtained a vendor’s credentials to the Athens Orthopedic system and used them to gain access on June 14, 2016. While Athens Orthopedic terminated the compromised credentials on June 27, 2016, the hacker’s continued intrusion was not effectively blocked until July 16, 2016. It was determined that 208,557 individuals were affected by the breach.”
- Corrective Action: Review all vendor relationships and establish business associate agreements; conduct a risk analysis and implement a risk management plan; establish, distribute, and train workforce members on a specific set of safeguard policies and procedures; and provide timely specified reporting to OCR.
- September 23, 2020. HIPAA Business Associate CHSPSC LLC resolves breach affecting over 6 million individuals by paying OCR a settlement of $2.3 million and adopting a Corrective Action Plan.
- “In April 2014, the FBI notified CHSPSC that it had traced a hacking group’s advanced persistent threat to CHSPSC’s information system. Despite this notice, the hackers continued to access and exfiltrate PHI of 6,121,158 individuals until August 2014. The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network. OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule, including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.
- Corrective Action: Implement an Internal Monitoring Plan; conduct a risk analysis and implement a risk management plan; establish, distribute, and train workforce members on Administrative, Physical, and Technical Safeguard Standards, and revise a specific set of safeguard policies and procedures, including technical access controls, information system activity review, Security Incident Procedures and Response and Reporting, and password management; and institute timely reporting internally about security incidents and to OCR annually.
- September 25, 2020. Health Insurer Premera Blue Cross (“PBC”) resolves breach affecting over 10.4 million individuals by paying OCR a settlement of $6.85 million and adopting a Corrective Action Plan.
- “On March 17, 2015, PBC filed a breach report on behalf of itself and its network of affiliates stating that cyber-attackers had gained unauthorized access to its information technology (IT) system. The hackers used a phishing email to install malware that gave them access to PBC’s IT system in May 2014, which went undetected for nearly nine months until January 2015. This undetected cyberattack, otherwise known as an advanced persistent threat, resulted in the disclosure of more than 10.4 million individuals’ PHI including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. OCR’s investigation found systemic noncompliance with HIPAA Rules, including failure to conduct an enterprise-wide risk analysis, and failure to implement a risk management plan and audit controls.
- Corrective Action: Conduct a risk analysis; develop and implement a risk management plan; establish or update, distribute, and train workforce members on appropriate safeguard policies and procedures, including specific Security Rule Standards, and provide timely reporting to OCR on compliance.
CAIPHI has designed its mobile, cloud-based platform, CyPHIcomply®, as a data and documentation management tool for demonstrating compliance with the HIPAA Privacy, Security, and Breach Notification Rules and for avoiding significant civil financial penalties and onerous HHS approval and reporting requirements under resolution agreement Corrective Action Plan. See a short 3-minute demonstration of the functionality of CyPHIcomply®at: WATCH.
1 This announcement is available online at: https://ag.ny.gov/press-release/2020/attorney-general-james-helps-secure-395-million-after-anthems-2014-data-breach.
2 Information on OCR’s Resolution Agreements and Civil Money Penalties is available online at:
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html.