Federal regulators have slapped a small provider of discounted medical and dental services to underserved patients in rural North Carolina with a $25,000 HIPAA settlement in a case involving an email breach that occurred nearly a decade ago. It’s only the second HIPAA settlement that the Department of Health and Human Services has announced this year.
The HHS resolution agreement is with Washington, N.C.-based Metropolitan Community Health Services Inc., a federally qualified health center that does business as Agape Health Services.
In the only other HIPAA settlement this year, HHS’ Office for Civil Rights announced in March a $100,000 settlement with the Utah medical practice of Steven A. Porter, M.D. in a case related to a business associate dispute (see: Big HIPAA Fine for Solo Doctor Practice.)
In 2019, OCR announced 13 HIPAA enforcement actions totaling about $15.3 million. That includes three HIPAA settlements announced by mid-year 2019 totaling $6.1 million.
Breach Details Are Sketchy
In a statement, OCR says that in June 2011, Metropolitan Community Health Services filed a breach report “regarding the impermissible disclosure of protected health information to an unknown email account.”
Neither OCR’s statement nor the resolution agreement in the case describe the circumstances of the email-related breach, which affected nearly 1,300 individuals. But OCR says its investigation into the incident revealed “longstanding, systemic noncompliance with the HIPAA Security Rule.”
Metropolitan Community Health Services failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures and neglected to provide workforce members with security awareness training until 2016, OCR says.
“Healthcare providers owe it to their patients to comply with the HIPAA rules,” OCR Director Roger Severino said. “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”
Data breaches involving email frequently appear on the HHS HIPAA Breach Reporting Tool website listing breaches impacting 500 or more individuals.
So far this year, 128 incidents – or nearly half of the data breaches added to the tally – involve email. Those incidents, which include phishing attacks, affected a total of 3.3 million individuals.