Page 43 - SMRH Eye on Privacy 2019 Year in Review Brochure
P. 43

HHS Announces First HIPAA Breach Settlement of 2019; 300,000 Patients Affected
Posted on May 13, 2019
On May 6, 2019, the U.S. Department of Health and Human Services announced that Touchstone Medical Imaging will pay $3 million to settle potential HIPAA violations associated with a breach that exposed more than 300,000 patients’ Protected Health Information. The breach occurred in May 2014. One of Touchstone’s servers allowed uncontrolled access to patients’ PHI. As a result, Touchstone patients’ PHI was visible on the Internet. During its investigation, HHS determined that Touchstone did not thoroughly investigate the breach until several months after it was informed of the breach by law enforcement. HHS also found that the company did not conduct an accurate analysis of potential risks to the confidentiality of its PHI and did not have business associate agreements in place with its vendors.
PUTTING IT INTO PRACTICE: This case is a reminder for entities to swiftly respond to suspected and known security incidents and to ensure that appropriate steps are taken to prevent such incidents from occurring in the first place. Steps include performing risk analyses and adopting business associate agreements with vendors.
HIPAA Breach Results in a $4,500,000 Class Action Settlement
Posted on February 20, 2019
Community Health System, one of the largest health systems in the United States, has agreed to pay $4,500,000 to settle claims made against it arising from a 2014 data breach. The data breach, believed to be caused by malware installed by Chinese hackers on CHS’s computer system, exposed the names, dates of birth, addresses, telephone numbers, and Social Security numbers of approximately 4.5 million patients.
Following the breach, numerous lawsuits were filed by patients seeking compensation for the theft of their personal information. The lawsuits were consolidated into a single lawsuit. The settlement, which still must be approved by the Judge overseeing the case, provides for two different payments to patients affected by the breach. Individuals who can prove they incurred out-of-pocket expenses as a result of the breach and/or can show evidence in time lost securing their accounts, can claim up to $250. Individuals who have suffered identity theft or fraud can recover up to $5,000.
PUTTING IT INTO PRACTICE: This case is a reminder for entities to review their data protection mechanisms. Class action lawsuits by individuals affected by breaches are becoming more common, and could significantly increase the financial penalties and exposure applicable to companies that store patient information.
Eye on Privacy 2019 Year in Review 42

























































































   41   42   43   44   45