States Privacy News

HIPAA Events

calendar

Events Webinars Training

$2.5 million - CardioNet

The covered entity self-reported as required to OCR that a computing device had been stolen from a workforce member's car. The device contained ePHI. The investigation found that the entity did not have adequate risk analysis and risk management processes in place when the incident occurred. Among other violations, the audit found that HIPAA policies and procedures were still in draft form. | Read the Press Release

$31K - The Center for Children’s Digestive Health

HHS' Office for Civil Rights initiated an audit of the entity while investigating a business associate. The BA stored records containing PHI. OCR found that while the entity stored PHI with the BA for years, the entities did not have a signed Business Associate Agreement with each other in place for most of that time. | Read the Press Release

$400,000 - Metro Community Provider Network

The entity reported a breach to OCR stating that a hacker accessed staffs' email accounts and obtained the protected health information of 3,200 individuals. OCR found that the entity failed to conduct a risk analysis until after the event. Prior to the event, the entity had not conducted a risk analysis and further found that when it did, it had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified. Additionally, it found that the analysis was insufficient to meet the requirements of the Security Rule. | Read the Press Release

$5.5 million - Memorial Healthcare Systems

The Covered Entityself-reported, as required, that the PHI of over 115,000 individuals had been accessed by its employees and further disclosed. The credentials of a former employee of an affiliate were used to access the information daily, without detection. Although relevant policies and procedures were in place, the entity failed to implement the relevant procedures. | Read the Press Release

$3.2 million - Children’s Medical Center of Dallas

The covered entity reported the breach to OCR notifying the loss of an unencrypted device. The information of approximately 3,800 individuals was on the device. Thereafter, the entity filed another Breach report. This time the report notified of the theft of an unencrypted laptop. This breach affected 2,462 individuals. | Read the Press Release