- The breach had occurred due to a third-party vendor who prints and mails the organization’s bills.
- The incident had lead to the exposure of patients’ PHI. This included names, account information, and dates of services.
Violation of HIPPA rules can lead to a hefty penalty for a healthcare firm that suffered a data breach. Of late, Sentara Hospitals has been asked to pay a fine of $2.175 million over potential HIPAA violations in a 2017 security incident.
HHS in 2017 had received a complaint alleging that Sentara Hospitals had sent a patient a bill that contained another patient’s health data. However, the Office for Civil Rights’ (OCR) investigation revealed that the healthcare firm had mailed protected health information (PHI) of 577 patients to wrong addresses.
The breach had occurred due to a third-party vendor who prints and mails the organization’s bills.
What information was exposed?
The incident had lead to the exposure of patients’ PHI. This included names, account information, and dates of services.
Where was the fault?
Initially, Sentara Hospitals had reported that the incident only affected eight individuals. The health system claimed that a PHI breach had not occurred as the improper disclosure did not contain diagnoses, treatment information, or medical data.
Following its repeated failure to provide exact information about the breach, OCR had enforced stringent actions on Sentara Hospitals.
“When healthcare providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR,” said OCR Director Roger Severino in a statement.
The OCR’s investigation also revealed that Sentara failed to apply a business associate agreement with Sentara Healthcare. The agreement covered entity that performed business associate services involving the receipt, maintenance, disclosure of PHI for its member covered entities for the health system.
How did Sentara respond?
In addition to the civil monetary penalty, Sentara has agreed to implement corrective action plans. Officials will also need to develop, maintain, and revise, as necessary, written policies and procedures that comply with HIPAA, regarding breach notifications for unsecured protected health information.