The Indiana Attorney General Todd Rokita is fighting for patient privacy. He filed a lawsuit against Apria Healthcare, alleging HIPAA and Indiana law violations. The suit was triggered by a massive data breach that impacted at least 42,000 Indiana residents and 1.8 million people nationwide.
Apria provides home healthcare equipment and related services across the United States. Over 2 million patients use its medical equipment in 270 locations, including Indiana.
The lawsuit stems from incidents that occurred in 2019 and 2021.
On September 1, 2021, the FBI notified Apria that an unauthorized third party was likely able to access their system. The intruder accessed millions of documents containing protected health information (PHI) and other personal information. The intruder also accessed several Apria employee email accounts, including Apria’s CEO.
Apria’s investigation revealed that between April 5 and May 7, 2019, and from August 27 to October 10, 2021, an unauthorized third party accessed large amounts of PHI by breaking into Apria’s internal systems, including several employee email accounts.
Apria Delayed Notification
However, Apria failed to notify patients about the 2019 and 2021 data breaches until May 2023 – 629 days after the breaches were discovered. The lawsuit alleges that Apria’s delayed notification and actions resulted in HIPAA and Indiana law violations. Apria’s parent company, Owens and Minor, allegedly knew about the breaches when it purchased Apria in March 2022.
“Everyone should feel protected by their health care providers,” Attorney General Rokita said. “When your private information is accessible or leaked to a stranger, you’re susceptible to life-altering threats, such as identity theft and financial ruin. Our office has adamantly fought back against careless companies who disregard major cybersecurity threats.”
Apria allegedly concealed the data breach from its consumers and failed to implement HIPAA policies and procedures. Due to a lack of security and technical safeguards, the unauthorized third party was able to access PHI and personally identifiable information, such as Social Security Numbers, birth certificates, credit and debit card information, medical histories, addresses, and other identifiable information.
According to AG Rokita, Apria’s notification to patients and consumers was extremely delayed and unreasonable. This delay significantly increased the chance of an individual becoming the victim of identity deception, theft, or fraud.
HIPAA requires that breach notification letters be sent “without unreasonable delay” and no later than 60 days after the breach is discovered.
HIPAA Enforcement Can Come from States
Indiana’s lawsuit reminds us that the HITECH Act of 2009 gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.
These lawsuits always include allegations of state law violations. In the Indiana lawsuit, the state laws alleged to have been violated are the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act.
HIPAA Policies and Risk Analysis Prevent Expensive Lawsuits
The lawsuit alleges that Apria repeatedly avoided and delayed HIPAA compliance due to cost, even after receiving warnings from reputable third parties. The lawsuit, filed on February 29, 2024, claims, “As of this filing, Apria has not implemented reasonable procedures to protect and safeguard this information from unlawful use or disclosure.”
By making HIPAA a priority today, you can avoid a massive lawsuit. The Privacy and Security Rules are a blueprint to safeguard patient privacy and strengthen cybersecurity. Policies, Risk Analysis, and HIPAA training are all achievable. Implement them today for the most cost-effective approach to compliance.