Aetna, city of New Haven hit with OCR fines after data breach
The U.S. Department of Health and Human Services' Office for Civil Rights leveraged $1,000,000 in fines against Aetna Life Insurance Company and $202,400 against the city of New Haven, Connecticut, to settle potential HIPAA violations.
The fines are just the latest moves on the part of OCR to enforce HIPAA regulations around protected health information (PHI).
WHY IT MATTERS
Over the course of six months, according to an HHS press release, Aetna reported three different data breaches compromising the information of thousands of individuals in total.
In June 2017, Aetna reported that web services used to display plan-related documents to members allowed documents to be indexed by various internet search engines. The protected health information disclosed included names, insurance ID numbers, claim payment amounts, procedure service codes and dates of services.
The next month, Aetna said that it had mailed benefit notices to members using window envelopes – through which the words "HIV medication" could be seen below the members' name and address.
And in September, the company mailed information to members containing on the envelope the name and the logo of the atrial fibrillation study in which they were participating.
In addition to the disclosures, HHS said the company failed to enact proper security protocols around PHI, including limiting disclosures and performing periodic evaluations of operations.
"When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna's failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement," said OCR Director Roger Severino in a statement.
Meanwhile, the city of New Haven agreed to pay $202,400 in response to a 2016 breach reported in January 2017. On July 27, 2016, according to the HHS, a former health department employee logged into her old computer eight days after being terminated and downloaded protected health information – including patient names, addresses, dates of birth, race or ethnicity, gender and sexually transmitted infection test results – onto a USB drive.
"Additionally, OCR found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI on New Haven’s network after the employee was terminated," wrote HHS in a press statement.
Both settlements also include two years of monitoring.
THE LARGER TREND
OCR has levied multiple big-ticket fines in recent months against health systems in response to breach reports.
In September, HHS announced that CHSPSC, a Tennessee-based management company providing business associate services to hospitals and physician clinics indirectly owned by Community Health Systems, had agreed to pay $2.3 million to settle potential HIPAA violations affecting the information of 6 million people.
Such monetary consequences loom especially large at a time when the FBI and HHS, in conjunction with the Cybersecurity and Infrastructure Security Agency, have warned of "increased and imminent" ransomware attacks against hospitals.
While these attacks don't always compromise patient data, experts have noted that any HIPAA-covered entity breach affecting more than 500 individuals will trigger a data request from OCR.
ON THE RECORD
"Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records," said Severino in a statement about the New Haven incident.