It’s been about 27 years since the Department of Health and Human Services (HHS) established the Healthcare Insurance Portability and Accountability Act (HIPAA) as the national standard for securely managing health information. As technology continues to serve as a catalyst for improving patient outcomes and boosting patient engagement and satisfaction, it’s more important than ever that the healthcare industry understands how to comply with HIPAA and avoid costly penalties.
Unfortunately, far too many healthcare organizations still commit HIPAA violations. A non-compliant disclosure of protected health information (PHI) compromises the privacy and security of patient data, a HIPAA violation occurs when someone learns something they shouldn’t because there weren’t enough precautions in place to protect the information.
A HIPAA violation can be costly for covered entities, which include hospitals, medical centers, physician practices, other healthcare providers, health plans and business associates. HHS’ Office for Civil Rights (OCR) enforces HIPAA compliance by penalizing any involved covered entity — for both small and large violations. The cost of these HIPAA violations ranges from $100 to $50,000 and is based on a variety of factors, including:
- Whether or not there was malicious intent (civil vs. criminal penalties)
- The degree of negligence
- If a doctor violates HIPAA, including inadvertent disclosure
- If a breach occurred
- The number of records exposed or potentially exposed
- Future risk as a result of the breach
The 5 Biggest HIPAA Violation Cases of 2022
It can take months and years for the OCR to discover and resolve both intentional and accidental HIPAA violation cases. Occasionally, additional HIPAA violations are found during these investigations. We’ve compiled a list of the biggest HIPAA violation cases that occurred last year.
OneTouch Point: A July ransomware attack impacting four million records
OneTouch Point provides marketing execution services to health insurance carriers and medical providers. This breach, which affected more than 30 health plans, occurred through a ransomware attack on the company’s printing and mailing vendor. Data compromised through the attack consisted of names, contact IDs and information procured during patient health assessments. When the breach was first reported by OneTouch Point, it was thought that only over one million individuals were impacted.
Eye Care Leaders: A hacking incident affecting approximately 3.6 million individuals
This North Carolina-based ophthalmology-specific EMR solution provider experienced a breach in which the attacker first gained access to the company’s systems and databases in December 2021 — weeks before the cyberattack. That access enabled the attacker to delete data and system configuration files. The company notified the at least 41 affected providers in March 2022, and each of those entities separately reported the breach. Eye Care Leaders is the subject of multiple lawsuits alleging that it concealed multiple ransomware attacks and related outages that began in March 2021.
Advocate Aurora Health: Impermissible disclosure of up to 3 million records
This breach that was reported in October 2022 is unique in that it involves third-party tracking pixels. The pixels from companies such as Google and Meta were utilized on Advocate’s websites, patient portals and applications to procure insight into the use of its patient-facing digital services. The problem? The tracking code transmitted patient information to its developers and resulted in the accidental disclosure of patients’ IP addresses, appointment dates, times and/or locations, proximity to Advocate Aurora Health locations, provider details, procedure types, insurance information and proxy names. Although the tracking pixels at the center of this breach have since been disabled, the company has been the subject of multiple patient-led class-action lawsuits due to the breach.
Connexin Software: A hacking incident impacting roughly 2.2 million individuals
In August 2022, this Wisconsin-based provider of an EHR solution for pediatric practices detected a breach of its network. In the incident, which affected approximately 120 pediatric physician practices, hackers accessed and exfiltrated an offline set of data used for data conversion and troubleshooting. That data set included names, Social Security numbers, health insurance information, billing and/or claims data and clinical information. The company notified OCR of the breach on November 11, 2022.
Shields Health Care Group: A hacking incident involving 2 million records
A third-party vendor that provides MRI, PET/CT and outpatient surgical services, Shields Health Care Group was the target of a March 2022 breach in which an unknown actor gained access to certain company systems and subsequently acquired data. According to the Massachusetts-based company, the breached data included full names, Social Security numbers, provider information, diagnoses, billing information, medical record numbers, patient IDs, dates of birth, addresses and treatment information. The breach, which impacted nearly 60 healthcare practices, was reported to OCR in May 2022.
How to Ensure HIPAA Compliance
At Providertech, we equip providers, payers and FQHCs with HIPAA-compliant solutions such as secure electronic test result delivery, Appointment Management, Real-Time 2-way Text Messaging and Population Health Outreach Management. Automated communication technologies like our CareCommunity platform that provide HIPAA-compliant SMS text messaging offer an effective solution for providers to proactively keep in touch with their patients before and after encounters — without overextending already constrained staff and budgets.
Read more about HIPAA compliance here.