US Hospitals Fined $2.175M for "Refusal to Properly Report" Data Breach
An American health services provider has agreed to pay a fine of $2.175m after refusing to properly notify Health and Human Services of a data breach.
In April of 2017, a complaint regarding Sentara Hospitals was received by the Department of Health and Human Services (HHS). The complainant said that they had received a bill from Sentara Hospitals containing another patient’s protected health information (PHI).
An investigation launched by the Office for Civil Rights (OCR) determined that Sentara had merged the billing statements for 577 patients with 16,342 different guarantors' mailing labels, resulting in the disclosure of the PHI of 577 individuals.
Information exposed by the breach included patient names, account numbers, and dates of services they had received.
Sentara reported this incident as a breach affecting only eight individuals. The health services provider had incorrectly concluded that unless a disclosure included patient diagnosis, treatment information, or other medical information, no reportable breach of PHI had occurred.
A spokesperson for HHS said: "Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR."
The OCR also determined that Sentara Hospitals provides services involving the receipt, maintenance, and disclosure of PHI for its member-covered entities, but did not enter into a business associate agreement with its business associate Sentara Healthcare until October 17, 2018, well after the breach.
Sentara manages 12 acute-care hospitals with more than 300 sites throughout Virginia and North Carol ..