[BreachExchange] US Hospitals Fined $2.175M for "Refusal to Properly Report" Data Breach

Destry Winant destry at riskbasedsecurity.com
Wed Dec 4 10:09:52 EST 2019


An American health services provider has agreed to pay a fine of
$2.175m after refusing to properly notify Health and Human Services of
a data breach.

In April of 2017, a complaint regarding Sentara Hospitals was received
by the Department of Health and Human Services (HHS). The complainant
said that they had received a bill from Sentara Hospitals containing
another patient’s protected health information (PHI).

An investigation launched by the Office for Civil Rights (OCR)
determined that Sentara had merged the billing statements for 577
patients with 16,342 different guarantors' mailing labels, resulting
in the disclosure of the PHI of 577 individuals.

Information exposed by the breach included patient names, account
numbers, and dates of services they had received.

Sentara reported this incident as a breach affecting only eight
individuals. The health services provider had incorrectly concluded
that unless a disclosure included patient diagnosis, treatment
information, or other medical information, no reportable breach of PHI
had occurred.

A spokesperson for HHS said: "Sentara persisted in its refusal to
properly report the breach even after being explicitly advised of
their duty to do so by OCR."

The OCR also determined that Sentara Hospitals provides services
involving the receipt, maintenance, and disclosure of PHI for its
member-covered entities, but did not enter into a business associate
agreement with its business associate Sentara Healthcare until October
17, 2018, well after the breach.

Sentara manages 12 acute-care hospitals with more than 300 sites
throughout Virginia and North Carolina. The health services provider
agreed to take corrective action and pay $2.175m to settle potential
violations of the Health Insurance Portability and Accountability Act
(HIPAA) Breach Notification and Privacy Rules.

Roger Severino, OCR director, said: "HIPAA compliance depends on
accurate and timely self-reporting of breaches because patients and
the public have a right to know when sensitive information has been

"When health care providers blatantly fail to report breaches as
required by law, they should expect vigorous enforcement action by

In addition to the monetary settlement, Sentara will undertake a
corrective action plan that includes two years of monitoring. As part
of the plan, Sentara will have to develop, maintain, and revise, as
necessary, their written policies and procedures to comply with
federal standards.

More information about the BreachExchange mailing list