HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
[It's an insider wrongdoing case from 2018 that we never heard about at the time]
Recent searches
Search options
#hhsocr
0 posts0 participants0 posts today
https://www.europesays.com/2053234/ Hack on Infusion Center Software Supplier Affects 118,000 #breach #ClassActionLawsuit #Data #DataTheft #EndueSoftware #hack #HHSOCR #InfusionCenter #Maine
Breach notifications needed to be made faster in 2024. Instead, they were made more slowly.
Some findings from #Bluesight 2025 Breach Barometer report plus additional observations and my frustration with #HHSOCR for not enforcing the notification requirements in #HIPAA and #HITECH.
So... apart from the fact that I don't think they should have dropped charges against this doctor, is HHS going to investigate why the hospital gave access to patient data to a former employee/resident who no longer worked there and was never these patients' doctor?
US Justice Department drops case against Texas doctor charged with leaking transgender care data:
https://www.wfaa.com/article/news/local/us-justice-department-drops-case-against-doctor-charged-with-leaking-transgender-care-data/287-3e8a394d-41fb-41bf-bf72-fd012b87851b
www.wfaa.comBefore you continue to YouTube
HHS OCR settles charges that Inmediata Health Group was exposing patient protected health info online for 3 years due to a webpage error.
Inmediata previously settled a class action lawsuit stemming from the 2016-2019 leak. They also settled a lawsuit by 33 state attorneys general last year. The HHS OCR settlement was for $250k monetary penalty; no corrective action plan was needed since the states' settlement already included a corrective action plan.
Direct link to the resolution agreement:
Inmediata even had trouble with their incident response, as noted on my blog at the time: https://databreaches.net/2019/04/30/in-the-process-of-notifying-patients-of-a-web-exposure-breach-inmediata-experiences-a-mail-exposure-breach/
#HHSOCR announced a $1.19M monetary penalty for Gulf Coast Pain Consultants stemming from a 2019 #databreach. Now we find out that the "third party" that accessed the data was a former contractor.
The covered entity got hit with a fine for failure to:
- conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
- implement procedures to regularly review records of activity in information systems;
- implement procedures to terminate former workforce members’ access to ePHI; and
- implement procedures for establishing and modifying workforce members’ access to information systems.
Still in the dark: A “500 marker” on HHS's public breach tool is updated, but too many still aren’t. Is HHS doing anything about this??
Spoiler alert: They don't seem to be.
HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation under HIPAA Security Rule for $250,000 - September 26, 2024
This stemmed from a March 2017 #ransomware attack and #databreach affecting Cascade Eye & Skin Centers in WA. #HHSOCR became aware of it in May 2017.
Why did it take 7+ years to resolve this?
And btw, I never knew about this breach and even now, cannot find any major media coverage or disclosure of it at the time. And it never showed up on HHS's public breach tool during all this time. Why didn't it show up if it affected 291,000?
This is HHSOCR's 4th ransomware-related investigation under the #HIPAA Security Rule.