2023 was a banner year for healthcare fines and breaches. The Department of Health and Human Services (HHS) Office for Civil Rights settled thirteen cases with healthcare organizations for potential HIPAA violations. The OCR breach portal also listed 553 large-scale breaches on its site.
2023 OCR Fines: Who and Why
In 2023, the HHS OCR settled cases with eight covered entities and four business associates for potential HIPAA violations. Fines ranged from $15,000 – $1.3 million, totaling $4,176,500.
Which entities were fined?
- LA Care Health Plan: $1,300,000
- Banner Health: $1,250,000
- Lafourche Medical Group: $480,000
- MedEvolve: $350,000
- Yakima Valley Memorial Hospital: $240,000
- Optum Medical Care of New Jersey: $160,000
- St. Joseph’s Medical Center: $80,000
- United Healthcare: $80,000
- iHealth Solutions: $75,000
- Manasa Health Center: $30,000
- Life Hope Labs: $16,500
- David Mente, MA, LPC: $15,000
HIPAA Security Rule Violations
LA Care Health Plan suffered a breach in which 1,498 patients were affected. Since they failed to conduct an organization-wide risk analysis, implement policies and procedures, and lacked adequate security controls, they were fined.
Banner Health suffered a hacking incident in which 2.81 million were affected. Since Banner Health failed to conduct an accurate and thorough risk analysis, implement sufficient procedures to regularly review records of information system activity, and implement technical security measures, they were fined.
Lafourche Medical Group suffered a phishing incident in which 34,862 patients were affected. Since they failed to conduct a security risk assessment (SRA) and lacked policies and procedures to review information system activity regularly, they were fined.
MedEvolve suffered a network server incident in which a data file was inadvertently placed on a file transfer server separate from their client hosting environment. Since they failed to conduct an SRA and enter into a business associate agreement (BAA) with a subcontractor, they were fined.
iHealth Solutions filed a breach report indicating an unauthorized transfer of protected health information (PHI) from an unsecured server occurred. Since they failed to conduct a thorough SRA and have a risk management plan, they were fined.
Right of Access Fines
- Optum Medical Care failed to provide timely access to medical records to six patients
- UnitedHealthcare failed to provide timely access to a patient’s medical records
- Life Hope Labs failed to provide timely access to the medical records of a deceased patient to their personal representative
- David Mente, MA, LPC, failed to provide timely access to the medical records of a minor patient to their personal representative
Unauthorized Access and Disclosure Fines
Yakima Valley Memorial Hospital suffered an insider breach in which 23 security guards used their login credentials to access patient electronic protected health information. Due to a lack of policies, procedures, and access controls, Yakima was fined.
St. Joseph’s Medical Center disclosed patient information to a news reporter without consent. As a result, they were fined, must amend their policies and procedures, and retrain their workforce on the new guidelines.
Manasa Health Center impermissibly disclosed PHI in response to a patient’s negative online review. As a result, they were fined, and must amend their policies and procedures, and retrain their workforce.
2023 Fines Facts and Lessons
- HIPAA Security Rule violation fines reigned supreme
- The HIPAA Right of Access Initiative remained a top priority for enforcement
- Doctors offices must learn how to respond to patient reviews
- Insider breaches remain a threat, highlighting the importance of policies, procedures, employee training, and access controls
- Hacking and phishing incidents are bound to happen, but when organizations fail to conduct an SRA and implement robust security controls, they will be fined
- Business associate agreements ensure your vendors uphold HIPAA standards, and when they don’t, they’ll be fined – not you
2023 Healthcare Breaches: Facts and Figures
There were 553 large-scale breaches reported on the OCR breach portal in 2023. Those breaches affected a staggering 109,405,318 patients, an increase of 98.9% as compared to 2022’s 55 million patients.
Ransomware and hacking are still the primary cyber threats in healthcare. According to the HHS, over the past four years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware. This trend continued in 2023, where hacking accounted for 83% of the large breaches reported to OCR.
Unauthorized access or disclosure of PHI accounted for 14.83% of breaches on the OCR online portal, while theft accounted for 1.63% of incidents reported. Both improper disposal and loss of medical records accounted for less than 1% of reported breaches.
In 2023, the majority of breaches listed by OCR were reported by healthcare providers – 358 incidents, representing 64.74% of reported breaches and affecting 35,188,999 patients. While business associates reported 112 incidents, patients affected by business associate breaches were at an all-time high of 59,315,445 affected patients – or 54.22% of total patients affected. 82 health plans also reported breaches affecting 14,900,373 patients. One healthcare clearinghouse reported a breach affecting 501 patients.
Preventing Healthcare Breaches and Fines
As breaches targeting healthcare organizations skyrocket, it is essential to implement measures to prevent unauthorized access to sensitive data. Implementing an effective HIPAA compliance program is the best way to do so. HIPAA compliance includes risk analysis, policies and procedures, employee training, and incident management. Had organizations fined by OCR over the last year implemented an effective compliance program, the incident and subsequent fine could have been prevented.
Learn more about 2023 healthcare breaches and fines in our upcoming webinar. Register today!