Printer Friendly, PDF & Email

Four New OCR Settlements Feature Breaches, Shared Passwords, Records Access—Again

Following a month in which it announced eight settlement agreements totaling more than $10 million, the HHS Office for Civil Rights (OCR) continued its enforcement streak in October, dinging a city health department, a large insurer, a hospital system and an orthopedic practice for a variety of alleged HIPAA violations.

The most costly settlement was with Aetna Life Insurance Company and an affiliate covered entity (CE), now a part of CVS Health, which paid OCR $1 million following three breaches it experienced in 2017.[1] Next was $202,400 from the city of New Haven, Connecticut,[2] followed by $160,000 from St. Joseph’s Hospital and Medical Center in Phoenix, Arizona,[3] and $100,000 from NY Spine Medicine.[4]

The Aetna settlement is noteworthy because it marks the fourth time the insurer has paid for one of the three breaches, namely the July 28, 2017, mailing to 11,887 individuals that, as OCR explained in its announcement, had the words “HIV medication” visible “through the envelope’s window below the member’s name and address.”

In separate agreements in 2018, Aetna settled a class action suit for $17 million over the envelopes and paid California $935,000 for the same incident.[5] A year later, it entered into a settlement with state attorneys general for more than $600,000.[6]

But there were two other breaches that same year. A month earlier, “Aetna submitted a breach report to OCR stating that on April 27, 2017, Aetna discovered that two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and subsequently indexed by various internet search engines. Aetna reported that 5,002 individuals were affected by this breach,” OCR announced, with “names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service” among the protected health information (PHI) disclosed.

Lastly, 1,600 individuals were mailed information in an envelope on which “the name and logo of the atrial fibrillation (irregular heartbeat) research study in which they were participating” appeared. The mailing occurred in September and was reported in November.

This document is only available to subscribers. Please log in or purchase access.