States Privacy News

HIPAA Events


Events Webinars Training

$3.5 Million - Triple-S Management Corporation (“TRIPLE-S”)

OCR started investigating after the entity made multiple breach notifications self-reports. OCR’s investigations found non-compliance throughout the organization's subsidiary entities. These included the failure to conduct the required risk analysis. | Read the HHS News Release

$850,000 - Lahey Hospital and Medical Center

The entity self-reported to OCR as required that a laptop was stolen from an unlocked room in 2011. The device contained the PHI of nearly 600 patients. The OCR's investigation indicated significant non-compliance with HIPAA which included the failure to conduct the required risk analysis as well as failure to implement and maintain the appropriate policies and procedures. | Read the HHS News Release

$750,000 - Cancer Care Group, P.C.

The organization provided a self report as required to OCR regarding a breach of unsecured electronic protected health information after an employee’s computer and unencrypted backup media were stolen from an employee’s car. The media contained information on approximately 55,000 current and former patients. OCR’s subsequent investigation found that, prior to the breach, the organization was in widespread non-compliance with the HIPAA Security Rule. | Read the HHS News Release

$218,400 - St. Elizabeth’s Medical Center

OCR received a complaint alleging noncompliance with HIPAA by workforce members. Specifically, it was alleged that workforce members used an internet-based document sharing application to store documents containing electronic protected health information (ePHI). | Read the HHS Bulletin

$125,000 - Cornell Prescription Pharmacy

The Office For Civil Rights, started an investigation after being alerted by a news report about the disposal of documents containing PHI of patients in an unlocked, open container on the company's premises. During the investigation, the company's failure to implement any written policies and procedures as required was discovered. Additional findings included that the company also failed to provide the required HIPAA training. | Read the HHS Resolution Agreement