The Office of Civil Rights (OCR) has recently settled with two organizations on major breaches and it’s not going to be cheap!

OCR announced on September 21st, 2020 that an Orthopedic Clinic has agreed to pay $1.5 million dollars to OCR and the Department of Health and Human Services (HHS)! Along with the large sum, the clinic is required to adopt a corrective action plan to mitigate the HIPAA Security and Privacy violations found in the investigation. The settlement was a result of a breach where the attacker used a vendor’s credentials to access ePHI for over a month! The hacker was attempting to sell the patient records online when a journalist noticed and notified the clinic. 208,557 patients were affected. While investigating OCR found that the clinic had not implemented risk management or audit controls or conducted risk analysis. Also, the clinic was not maintaining HIPAA policies and procedures, business associate agreements or providing HIPAA Privacy Rule training to their staff!

OCR also settled on $2.3 million dollars with a HIPAA business associate over a breach that affected over 6 million people! Hackers had access to PHI for 5 months in 2014 by using administrative credentials to access the business associate’s system though it’s private network. According to the OCR’s announcement on September 23rd, 2020, “OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.” The business associate will also be required to implement a corrective action plan.

Keeping up with annual Security Risk Assessments and prioritizing security and privacy can make or break an organization and their patients. What’s at stake? Millions of dollars, reputations, and one VERY large headache. The good news is you can get ahead of it!

For more news releases and bulletins visit the OCR’s Newsroom.