The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a $3 million settlement with Solara Medical Supplies, LLC following a phishing attack that compromised over 114,000 individuals’ protected health information (PHI).
What happened
Solara Medical Supplies, a distributor of diabetes management products, reported a breach in November 2019 after a phishing attack allowed unauthorized access to eight employee email accounts between April and June 2019. The breach exposed 114,007 individuals’ PHI.
In January 2020, Solara reported an additional breach after sending 1,531 notification letters to incorrect addresses. OCR's investigation revealed that Solara failed to conduct a proper risk analysis, implement adequate security measures, and provide timely breach notifications.
Going deeper
Solara must implement the following corrective action plan to address the identified HIPAA violations:
- Performing a detailed, organization-wide risk analysis to identify vulnerabilities in its information systems.
- Developing and enforcing a proactive risk management strategy to mitigate identified security risks.
- Updating and maintaining written HIPAA policies and procedures for continuous compliance.
- Conducting ongoing, role-specific HIPAA training programs to equip employees with the knowledge and skills to safeguard PHI.
Ultimately, the OCR will monitor Solara's corrective action plan adherence for two years.
What was said
In the recent HHS news release, OCR Director Melanie Fontes Rainer stated, “Healthcare entities that fail to address identified cybersecurity issues leave themselves vulnerable to cyberattacks. OCR urges health care entities to prioritize securing their information systems and take all necessary steps to reduce and prevent cyberattacks and safeguard PHI.”
FAQs
Does HIPAA apply to phishing attacks in healthcare?
Yes, phishing attacks in healthcare fall under Health Insurance Portability and Accountability Act (HIPAA) regulations. Phishing attacks compromising the privacy and security of protected health information (PHI) can lead to severe penalties, including fines and reputational damage.
Who needs to comply with HIPAA?
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle protected health information (PHI).
How can providers make Google Workspace email HIPAA compliant?
Providers must use a Business or Enterprise plan, sign a business associate agreement (BAA) with Google, and use a HIPAA compliant platform, like Paubox, to protect patient information.
Go deeper: How to set up HIPAA compliant emails on Google
