Governance & Risk Management
,
HIPAA/HITECH
,
Privacy
‘Long-Standing HIPAA Deficiencies’ Found in 2 Breaches Affecting Only 2,250 People
Federal regulators have smacked a large California health plan with a $1.3 million fine to settle potential HIPAA violations for two relatively small breaches that affected about 2,250 individuals. But officials indicate “long-standing HIPAA deficiencies” were a “systemic” problem at the insurer.
See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense
The U.S. Department of Health and Human Services’ Office for Civil Rights on Monday said its investigation into the two incidents at Los Angeles-based L.A. Care Health Plan found evidence of potential noncompliance with the HIPAA Privacy and Security Rules across the organization, amounting to “a serious concern given the size of this covered entity.”
L.A. Care describes itself on its website as “the nation’s largest publicly operated health plan,” providing health benefits and coverage to 2.9 million members through state and federal programs, such as Medicaid and Medicare, as well as through Affordable Care Act insurance plans.
“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic noncompliance with the HIPAA Rules,” said Melanie Fontes Rainer, HHS OCR director, in a statement Monday. “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.”
During its investigation into L.A. Care, HHS OCR found potential violations. Regulators said the insurer needed to meet HIPAA requirements, including conducting an accurate and thorough security risk analysis, implementing security measures to reduce risks and vulnerabilities, and performing a periodic technical and nontechnical evaluation to address environmental or operational changes affecting the security of electronic protected health information.
Breach Details
The two separate L.A. Care security incidents at the center of HHS OCR’s investigation respectively occurred in January 2014 and January 2019.
Regarding the first incident, HHS said, it opened a compliance review of L.A. Care in January 2016 based on a March 2014 online article that reported that on Jan. 24, 2014, some L.A. Care health plan members who had logged into the payment portal were able to view the name, address and member identification number of another individual. The disclosures, which occurred over two days, affected about 750 individuals and were caused by a “manual information processing error,” HHS OCR said.
L.A. Care filed a breach report to HHS OCR about the mishap in February 2016 during the course of the agency’s investigation into the incident, HHS OCR said.
The second incident occurred on Jan. 30, 2019, and was reported by L.A. Care to HHS OCR on March 15, 2019. In that incident, L.A. Care reported that the Los Angeles Department of Public Social Services had notified the health plan that some L.A. Care health plan members received in the mail identification cards meant for other members.
That mailing error affected nearly 1,500 individuals.
Besides paying a financial settlement, under the resolution agreement with HHS OCR, L.A. Care will implement a corrective action plan.
That plan calls for L.A. Care to take measures that include conducting an enterprisewide HIPAA security risk analysis, developing an enterprisewide risk management plan to address and mitigate any security issues identified in the risk analysis, and developing and providing to its workforce an augmented HIPAA security and privacy training program.
In a statement provided to Information Security Media Group, L.A. Care said HHS OCR’s investigation into the incidents had determined that the health plan’s conduct “was not intentional” and that L.A. Care had taken reasonable corrective action upon discovery.
“During the course of the OCR’s investigation, other opportunities to strengthen the privacy and security of member data were identified, and L.A. Care is working on implementing those enhanced protocols and processes. None of these discovered areas have resulted in a data breach,” the L.A. Care statement said.
“L.A. Care made operational changes due to the processing errors soon after their discovery, and L.A. Care and the OCR have mutually agreed to a corrective action plan to reduce the risk of similar events occurring in the future,” L.A. Care said in the statement to ISMG.
The $1.3 million financial settlement with L.A. Care is the eighth – and largest – monetary HIPAA enforcement action taken by HHS OCR so far this year.
The next-largest financial settlement was a $1.25 million fine levied against Arizona-based Banner Health in February for a 2016 hacking breach that compromised the PHI of nearly 3 million individuals (see: Feds Smack Banner Health With $1.25M Fine in Breach).