On January 14, 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a HIPAA phishing settlement with Solara Medical Supplies, LLC (Solara). Solara, a direct-to-patient diabetes care supplier, filed a breach report in November 2019 regarding a phishing incident, launching an OCR investigation.
While not all breaches result in OCR settlements, when an organization fails to meet HIPAA requirements, it is often subject to civil monetary penalties and corrective action plans, which was the case with Solara.
The HIPAA Phishing Incident and Breach Notification Snafu
HIPAA phishing incidents occur when an unauthorized party gains access to healthcare employee email accounts and has the potential to access patient protected health information (PHI) as a result.
In the phishing attack targeting Solara employee email accounts, a malactor was able to access their accounts from April to June 2019. This attack ultimately compromised 114,007 patient records, leaving them vulnerable to identity theft. Solara then filed a breach report with OCR in September 2019 and sent breach notification letters to affected patients, as HIPAA rules and regulations require when PHI is potentially compromised.
But, the PHI exposure did not end with the discovery of the phishing incident.
Making matters worse, Solara sent 1,531 breach notification letters to the wrong address, further compromising PHI. In January 2020, Solara filed a second breach report informing OCR of the breach notification snafu.
OCR Investigation and Settlement
Phishing incidents, especially larger ones, typically trigger OCR investigations to determine whether or not the organization in question did its due diligence in implementing safeguards to protect PHI adequately. While breaches can still occur with security measures in place, OCR expects organizations to have systems to prevent them.
“Cyberattacks have skyrocketed exponentially in recent years. Effective cybersecurity requires identifying potential risks and vulnerabilities to health information and implementing effective security measures to protect against them,” said OCR Director Melanie Fontes Rainer. “Health care entities that fail to address identified cybersecurity issues leave themselves vulnerable to cyberattacks. OCR urges health care entities to prioritize securing their information systems and take all necessary steps to reduce and prevent cyberattacks and safeguard protected health information.”
The investigation into Solara found that they had done a poor job in protecting PHI, uncovering several potential HIPAA security rule violations. Additionally, the breach notification mailing mishap was also flagged as a failure.
OCR determined that Solara failed to:
- Conduct a compliant risk analysis to identify the potential risks and vulnerabilities to ePHI
- Implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level
- Provide timely breach notification to individuals, HHS, and the media
Under the resolution agreement, Solara has agreed to implement a corrective action plan (CAP) to address its failures, is subject to two years of OCR monitoring, and must pay a $3,000,000 HIPAA fine. The full terms of the agreement can be found here.
