According to a summary released by the HHS Office for Civil Rights (OCR), in 2018, OCR settled 10 cases and was granted summary judgment in one case totaling $28.7 million in recoveries for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). This sets the record for total annual recoveries, following $23.5 million recovered by OCR in 2016.
OCR also set the record for the single largest settlement of $16 million with Anthem, Inc. to settle allegations that Anthem violated certain HIPAA requirements prior to and following a 2015 cyber-attack in which protected health information (PHI) of nearly 79 million individuals was stolen from Anthem’s enterprise data warehouse. This settlement was nearly three times larger than OCR’s previous record settlement of $5.5 million with Advocate Health Care in 2016. Additional details regarding the Anthem settlement are available here.
OCR’s final settlement of the year was with Cottage Health for $3 million regarding two alleged breaches of unsecured electronic protected health information (ePHI) affecting over 62,500 individuals, one in December 2013 and another in December 2015. The breach exposed unsecured ePHI over the internet including patient names, addresses, dates of birth, Social Security numbers, diagnoses, conditions, lab results and other treatment information. OCR alleged that Cottage Health failed to accurately and thoroughly assess the potential risks and vulnerabilities; failed to implement sufficient security measures; failed to implement procedures to perform periodic evaluations in response to changes affecting the security of ePHI; and failed to enter into a written business associate agreement with a contractor that maintained ePHI on Cottage Health’s behalf. Cottage Health also agreed to enter a corrective action plan. The Cottage Health settlement and corrective action plan can be found here.
OCR’s summary of its 2018 HIPAA settlements can be found here.