Four business associates failed to conduct a thorough HIPAA risk analysis and paid significant settlements to resolve investigations. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the settlements last week and today, totaling more than $3.5 million.
- Solara Medical Supplies, LLC – $3,000,000
- USR Holdings, LLC – $337,750
- Elgon Information Systems, LLC – $90,000
- Virtual Private Network Solutions, LLC – $80,000
You can avoid costly enforcement actions and better protect patient data in your care by reviewing your risk analysis today.
HIPAA Enforcement Priorities
Two of OCR’s HIPAA enforcement priorities played roles in all of these investigations: the risk analysis initiative OCR began early in 2024; and pursuing investigations based on ransomware alone. For more about the risk analysis initiative, see slide 17 of this HIPAA Summit presentation.
The investigations of Elgon and VPN Solutions stemmed from ransomware attacks. The Solara investigation resulted from a phishing cybersecurity incident, while the USR Holdings investigation resulted from the deletion of nearly 3,000 patients’ electronic protected health information (PHI or ePHI)) by an unauthorized third party.
In addition to the settlement payments, all four companies will be monitored for compliance under corrective action plans.
Settlement Agreements Mandate Improved Compliance
Solara Medical Supplies
Solara sells and distributes continuous glucose monitors, insulin pumps, and other supplies to patients with diabetes.
In November 2019, OCR received a breach report concerning a phishing attack in which an unauthorized third party accessed eight of Solara’s employees’ email accounts between April and June 2019, resulting in the breach of 114,007 individuals’ ePHI. In January 2020, OCR received notification of a second breach, when Solara reported that it had sent 1,531 breach notification letters to the wrong mailing addresses. OCR’s investigation determined that Solara failed to conduct a compliant risk analysis to identify the potential risks and vulnerabilities to ePHI in Solara’s systems; failed to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; and failed to provide timely breach notification to individuals, HHS, and the media.
In addition to the $3,000,000 payment, Solara is subject to a two-year corrective action plan and must:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in its systems;
- Implement a written risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
- Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
- Train its workforce on its HIPAA policies and procedures.
USR Holdings
OCR initiated an investigation following the receipt of a breach report filed by USR in February 2019, which reported that from August 23, 2018, through December 8, 2018, a database containing the ePHI of 2,903 individuals was accessed by an unauthorized third party/parties who were able to delete ePHI in the database.
OCR’s investigation found potential violations of the HIPAA Security and Privacy Rules, including failures to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; to regularly review its information system activity; and to establish and implement procedures to create and maintain retrievable exact copies of ePHI.
In addition to the $337,750 payment, USR Holdings is subject to a two-year corrective action plan and must:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis;
- Develop a process to evaluate any environmental or operational changes that affect the security of ePHI;
- Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
- Distribute any updated HIPAA policies and procedures to its workforce.
Elgon Information Systems
Elgon is a Massachusetts company that provides electronic medical record and billing support services to covered entities.
On March 25, 2023, an unknown actor accessed a server on Elgon’s information system through open ports on Elgon’s firewall. Elgon did not detect the intrusion until March 31, 2023, when a ransom note was found. In June 2023, Elgon filed a breach report with HHS stating that approximately 31,248 individuals were affected when Elgon’s computer system was infected with ransomware. The PHI disclosed included demographic information (name, social security number, address, driver’s license, and date of birth) and clinical information (medication, diagnosis, and condition).
OCR’s investigation determined that Elgon failed to conduct an accurate and thorough risk analysis to determine its system’s potential risks and vulnerabilities to ePHI.
In addition to the $90,000 payment, Elgon is subject to a three-year corrective action plan and must:
- Review and update its risk analysis to identify the potential risks and vulnerabilities to Elgon’s data to protect the confidentiality, integrity, and availability of ePHI.
- Update its enterprise-wide risk management plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
- Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rul
- Provide workforce training on HIPAA policies and procedures.
Virtual Private Network Solutions
VPN Solutions is a Virginia company that provides data hosting and cloud services to covered entities (health plans, health care clearinghouses, and most health care providers) and business associates.
In December of 2021, OCR received a breach report concerning a ransomware incident that impacted portions of the VPN Solutions server infrastructure. VPN Solutions filed the breach report on behalf of twelve covered entities, which had delegated their responsibility to report the breach to VPN Solutions. VPN Solutions reported that it became aware of the attack on October 31, 2021. The initial report indicated that the data encrypted included names, addresses, dates of birth, driver’s license information, social security numbers, other identifiers, claim information, bank account numbers, other financial information, diagnoses/conditions, lab results, medications, and other treatment information. OCR’s investigation determined that VPN Solutions had failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in their system.
In addition to the $80,000 payment, VPN Solutions is subject to a one-year corrective action plan and is required to:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis;
- Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
- Conduct a breach risk assessment of the October 31, 2021, breach and provide evidence to OCR that all covered entities affected by the breach have been notified of the breach and the identity of individuals affected.
Risk Analysis is Central to Compliance
OCR found that the organization failed to conduct a HIPAA risk analysis in all four cases. Therefore, all four are required to perform risk analyses in the future and follow a risk management plan resulting from the analyses.
Proactive risk management under HIPAA rules makes it much less expensive and easier to keep data safe and defend against investigations.