Vendor Pays $75,000 HIPAA Fine in Data Exfiltration BreachPatient Information Left Unsecured on Network Server, HHS Says
A Kentucky-based firm that provides coding and billing services to healthcare entities has agreed to pay federal regulators a $75,000 fine and implement a corrective action plan in the wake of an exfiltration incident that compromised patient information contained in an unsecured network server.
The Department of Health and Human Services on Wednesday said the HIPAA settlement with iHealth Solutions, which does business as Advantum Health, involved an investigation into the 2017 incident affecting 267 individuals.
“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA-covered entities,” said Melanie Fontes Rainer, director of HHS' Office for Civil Rights.
“Effective cybersecurity includes ensuring that electronic protected health information is secure and not accessible to just anyone with an internet connection," she said.
HHS OCR initiated an investigation into iHealth in August 2017 after receiving a breach report stating that the company had experienced an unauthorized transfer of protected health information - or data exfiltration - from an unsecured server exposed to the internet, the agency said.
Compromised information included patient names, birthdates, addresses, Social Security numbers, email addresses, diagnoses, treatment information, medical procedures and medical histories, HHS OCR said.
In addition to the impermissible disclosure of PHI, OCR's investigation found a lack of evidence that iHealth had conducted a comprehensive, enterprisewide security risk analysis.
Corrective Action Plan
Under its resolution agreement with HHS, iHealth will implement a corrective action plan.
That plan includes iHealth conducting a thorough and accurate security risk analysis; developing and implementing a security risk management plan; executing a process to evaluate environmental and operational changes affecting the security of electronic PHI; and developing, maintaining and revising its written HIPAA policies and procedures.
HHS OCR also said it would monitor iHealth for two years to ensure the company's HIPAA compliance.
iHealth Says No Patient Data Lost
In a statement to Information Security Media Group, iHealth said, "No patient or client data was lost, used for nefarious reasons or negatively affected, and the time the data was exposed was limited to a few hours."
At the time of the breach, iHealth Solutions was under different leadership and was using technology that is no longer in use, the statement said. In the six years since the incident, the company has not had any HIPAA violations, complaints or fines, and it operates with "extremely high security standards," according to the statement.
"iHealth Solutions agreed to the settlement to put an end to this years-dated issue."
The settlement between HHS OCR and iHealth is the sixth HIPAA enforcement action by the agency so far in 2023. The actions add up to about $1.9 million in HIPAA fine collections.
Business associates have been implicated in about 40% of major HIPAA breaches reported to HHS OCR so far this year and are responsible for about 50% of individuals affected.