Security Shredding and Storage - a shredding industry publication

Export Regulations HIPAA Reports Record Number of Enforcements in 2018

By Ken McEntee
Enforcement actions for violations of the Health Insurance Portability and Accountability Act (HIPAA) set a record last year, according to the U.S Department of Health and Human Services Office for Civil Rights (OCR) at the concluded an all-time record year in enforcement activity.

In 2018, OCR settled 10 cases - including a case involving a defunct record storage company - and was granted summary judgment in a case before an administrative law judge, together totaling $28.7 million from enforcement actions. This total surpassed the previous record of $23.5 million, set in 2016, by 22 percent.

In addition, OCR also achieved a $16 million settlement with Anthem Inc., the largest individual HIPAA settlement ever. The settlement was almost three times larger than the previous record of $5.5 million reached in 2016.

“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” said OCR Director Roger Severino.

OCR’s final settlement of 2018 occurred in December, when Cottage Health, of Santa Barbara, Calif., agreed to pay $3 million to OCR and to adopt a substantial corrective action plan to settle potential violations of the HIPAA rules.

Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital, all in California. OCR received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information (ePHI) affecting more than 62,500 individuals, one in December 2013 and another in December 2015.

OCR said the first breach arose when ePHI on a Cottage Health server was accessible from the internet. OCR’s investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI without requiring a username and password. As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results and other treatment information were available to anyone with access to Cottage Health’s server.

The second breach occurred when a server was misconfigured following an IT response to a troubleshooting ticket, exposing unsecured ePHI over the internet. This ePHI included patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information. OCR’s investigation revealed that Cottage Health failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI; failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI; and failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf.

“The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during and after implementation covered entity makes system changes," Severino said.

In addition to the $3 million settlement, Cottage will undertake a robust corrective action plan to comply with the HIPAA Rules.

Here are OCR's other settlements and judgements from 2018:

Filefax Inc.

In January 2018, OCR settled for $100,000 with Filefax Inc., a now-closed medical records maintenance, storage and delivery services provider based in Northbrook, Ill. OCR’s investigation found that Filefax impermissibly disclosed protected health information (PHI) of about 2,150 people by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax and leaving the PHI unsecured outside the Filefax facility.

Consequences for HIPAA violations don’t stop when a business closes, OCR said.

In February, 2018, a receiver appointed to liquidate the assets of Filefax agreed to pay $ 100,000 out of the receivership estate to the OCR to settle the HIPAA violations. Although Filefax shut its doors during the course of OCR’s investigation into alleged HIPAA violations, it could not escape its obligations under the law, OCR said.

On February 10, 2015, OCR received an anonymous complaint alleging that an individual transported medical records obtained from Filefax to a shredding and recycling facility to sell on February 6 and 9, 2015. OCR opened an investigation, which confirmed that an individual had the left medical records of about 2,150 patients at the shredding and recycling facility, and that these medical records contained patients’ protected health information.

“The careless handling of PHI is never acceptable,” Severino said. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

Fresenius Medical Care

In January 2018, OCR settled for $3.5 million with Fresenius Medical Care North America (FMCNA), a Waltham, Mass.-based provider of products and services for people with chronic kidney failure. OCR said FMCNA filed five breach reports for separate incidents occurring between February 23 and July 18, 2012, implicating the ePHI of five FMCNA-owned covered entities. OCR’s investigation revealed that FMCNA failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its ePHI. Additional potential violations included failure to implement policies and procedures and failure to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances.

Anderson Cancer Center

In June 2018, an HHS administrative law judge ruled in favor of OCR and required the University of Texas MD Anderson Cancer Center, a Houston-based cancer center, to pay $4.3 million in civil money penalties for HIPAA violations. OCR said it investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted USB thumb drives containing the unencrypted ePHI of more than 33,500 individuals.

OCR’s investigation found that MD Anderson had written encryption policies going back to 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI.

Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to encrypt ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013, OCR said. This matter is under appeal with the HHS Departmental Appeals Board.

Boston hospitals

In September 2018, OCR said that it reached separate settlements totaling $999,000, with Boston Medical Center, Brigham and Women's Hospital and Massachusetts General Hospital - all of Boston - for compromising the privacy of patients’ PHI by inviting film crews on premises to film an ABC television network documentary series without first obtaining authorization from patients.

Advanced Care Hospitalists

Also in September 2018, OCR settled with Advanced Care Hospitalists (ACH), a contractor physician group in Lakeland, Fla., for $500,000. ACH filed a breach report confirming that ACH patient information was viewable on a medical billing services’ website.

OCR said its investigation revealed that ACH never had a business associate agreement with the individual providing medical billing services to ACH, and failed to adopt any policy requiring business associate agreements until April 2014.

Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014, OCR said.

Allergy Associates

In October 2018, OCR settled with Allergy Associates, a Hartford, Ct.-based health care practice that specializes in treating individuals with allergies, for $125,000.

In February 2015, a patient of Allergy Associates contacted a local television station to speak about a dispute that had occurred between the patient and an Allergy Associates’ doctor. OCR’s investigation found that the reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s PHI to the reporter.

Anthem Inc.

In October 2018, Anthem paid $16 million to OCR and agreed to take substantial corrective action to settle potential violations of the HIPAA rules after a series of cyber attacks led to the largest U.S. health data breach in history.

“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” Severino said. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.”

Anthem is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans. Its breach affected ePHI that Anthem maintained for its affiliated health plans and any other covered entity health plans.

Anthem filed a breach report after discovering cyber-attackers had gained access to its IT system via an undetected continuous and targeted cyber attack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. After filing its breach report, Anthem discovered cyber-attackers had infiltrated its system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks.

OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses and employment information.

“We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR," Severino said.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI beginning as early as February 18, 2014.

In addition to the $16 million settlement, Anthem said it will undertake a robust corrective action plan to comply with the HIPAA Rules.

Pagosa Springs Medical Center

In November 2018, Pagosa Springs Medical Center, a critical access hospital in Pagosa Springs, Colo., paid $111,400 to OCR to resolve potential violations concerning a former PSMC employee who continued to have remote access to PSMC’s web-based scheduling calendar after separation of employment. The calendar contained patients’ ePHI.

OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee.

Ken McEntee is the publisher and editor of The Paper Stock Report, providing market intelligence for the paper recycling industry. Visit

Member Login