Chat with us, powered by LiveChat

Advocate Medical Sued for Breach of Patient Electronic Medical Records

For something as simple as “plain old know better,” $50,000 or more could be the penalty for a breach of HIPAA law from Advocate Medical in Illinois. This breach has been described by the prosecuting attorney, Shannon M. McNulty, as a failure “to follow basic operating procedures”.

The law suit has been filed due to the loss of patient records stored on a computer that was stolen in July 2013. The computer could have the records of nearly 4 million patients stored on its hard drive. This information could contain names, Social Security numbers, addresses, birth dates, medical records, and insurance information. The breach gives the thieves access to information that they could use to perform identity theft and fraud.

Advocate Medical stated in their defense that they believe the thieves did not have the private, sensitive information stored on the computer as their target. Because they believe there is a lack of evidence to show that the lawsuit has no merit Advocate Medical believes that they will win the suit.

Unfortunately, for Advocate Medical, the HIPAA laws are clear. And for an entity as large as Advocate Medical, there is very little understanding when it comes to trying to prove ignorance.

You can read the full release at

Walgreens Sued for Sharing Patient’s Private Medical Info

An Indiana woman was awarded $1.44 million by Walgreens Co. after a pharmacist illegally accessed and shared her private medical information. The lawsuit against Walgreens was for the violation of the Health Insurance Portability and Accountability Act (HIPAA).  HIPPA requires health care providers to observe strict guidelines for handling private information of patients but it does not provide for a “private cause of action,” which means that you can’t sue over a breach of privacy. This means, the Walgreens suit should never have made it to trial.

Audra Peterson, a pharmacist at Walgreens, used her authority to look up the private information of Abigail Hinchy. Abigail, a customer of the pharmacy; was Audra’s husband’s ex-girlfriend. Audra suspected that Abigail had given her husband a sexually transmitted disease, and looked up Abigail’s medical history. Peterson then shared that medical information with her husband, who sent Hinchy a text message explaining he knew of her medical history.

Abigail called the pharmacy to complain but no action was taken, and Peterson was allowed access to her information a second time. Walgreens Co was accused in the suit of negligence in their supervision of Peterson and a judge and jury found the company liable for 80 percent of the damages owed to Hinchy.

Although, the case should not have gone to trial, attorney Neal F. Eggeson mounted the suit and won. By taking these kinds of cases he hopes that “this opens eyes — both by lawyers like me and by the health care providers.”

You can read the full release here.

HHS Settles With Affinity Health Plan Inc. In Photocopier Breach Case

Affinity Health Plan, Inc., a not for profit, will settle prospective violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780 with the U.S. Department of Health and Human Services. HIPAA covered entities, like Affinity, are require to report to Health and Human Services when protected health information has been disclosed.

CBS evening news did an investigatory report in which they purchased photocopiers that had previously been leased by Affinity. In so doing CBS found that confidential medical information had never been erased from the hard drive. Affinity filed a breach report after CBS informed them of the medical information found on the hard drives.

Affinity revealed without consent protected health information of an estimated 344,579 individuals when it returned multiple photocopiers to leasing agents before confidential customer information had been removed from hard drive.

Affinity has an agreement of a settlement of $1,215,780, to take precautions to guard electronic protected health information, and to attempt to recover all hard drives that were used on the leased photocopiers. You can read more about the agreement here.

Make sure that your data is secure and that you mitigate as much risk as possible by engaging with HIPAA One.

WellPoint Agrees To Pay HHS $1.7 Million For Leaving Information Accessible Over Internet

According to the U.S. Department of Health and Human Services (HHS), WellPoint Inc. has agreed to pay them $1.7 million to settle potential violations to HIPAA Security and Privacy rules. You can read more about it here.

The HHS is hoping that this case and other recent cases send an important message to all HIPAA covered entities to take extreme measure to ensure data privacy and security when implementing changes to their information systems, especially when those changes involve updates to web based application or portals that house consumers’ electronic medical records.

If you are going to be implementing changes to your information systems and want to make sure that you stay compliant and minimize the risk associated with with such changes, we recommend you reach out to our HIPAA experts today!


Idaho State University Settles HIPAA Security Case For $400,000

According to the Department of Health and Human Services (HHS), Idaho State University has agreed to pay them $400,000 for violations of the HIPAA Security rule. The settlement was reached after 17,500 patients of an ISU clinic’s health records were compromised. You can read more about it here.

The Office for Civil Rights (OCR) opened investigations after ISU notified the HHS that their server firewall was disabled. Through their investigation, the OCR found that ISU did not apply proper security measures and policies all of which could have been avoided by consulting with a HIPAA security consultant and by executing routine HIPAA security audits.

This isn’t the first time a well known University has been penalized for a health data breach, we wrote about Indiana University and their breach in another post that you can find here.

Kim Kardashian’s HIPAA Privacy case – A HIPAA Law by Law Perspective

Hi, this is Steven Marco.

I wanted to post this article as a great example of how Hospitals and Clinics can protect the organization from inappropriate actions of its staff.  And always am thinking on what HIPAA laws are touched with this case.

This case provides a shining example of how requiring unique user IDs for all EMR/EHR/ePHI System access (164.312(a)(2)(i)) so that a review of logs can be performed to review system activity (164.308(a)(1)(ii)(D)).   The staff was no doubt fired under the organization’s Personnel Sanction Policy (164.308(a)(1)(ii)(C)), and the Hospital can prove due diligence in responding to this security violation 164.308(a)(6)(ii).

Imagine for a second that a suit was filed for disclosing Protected Health Information (PHI), or the Kardashians decided to post an HHS Patient Complaint under HIPAA.  Without the appropriate controls in place, the Hospital could be found negligent and host to Civil Monetary Penalties and potential small-stakes lawsuits.

Here is one of the many news articles covering this story – thanks to the Huffington Post for this link:

At HIPAA One, we are passionate about HIPAA Security and how it affects our jobs in healthcare and how HIPAA affects our daily lives.  Please visit for resources and about our in-house developed HIPAA One Security Risk Analysis software.

OCR Issues First Fine for Non-Major Breach – Hospice of North Idaho

The Department of Health and Human Services’ Office for Civil Rights for the first time is financially punishing an organization for a breach of protected health information that affected less than 500 individuals. This is a new policy as OCR has previously limited issuance of hefty fines–and publicity of the fines–against several organizations following a “major” breach that affected 500 or more individuals.  By Joseph Goedert

The entire article may be viewed here.

Indiana University Health Data Breach Affects 3,000+

Ok my blog isn’t dedicated solely to reporting breaches but another breach hit the news. Here is a statement from Indiana University:

HIPAA Risk Analysis requires any PCs that move around (i.e. laptop) be encrypted. This is item #1 on risks using laptops with ePHI on them. Bitlocker anyone?

A related article on the Health Data Management site said, “Password Protected but unencrypted laptop”. This means a File-system based, Windows or Linux local password is locking the PC. This can be circumvented within minutes – no matter how strong the password is.

How could Indiana University Health have mitigated their risk on this one? As part of a risk-management process, encrypting portable computers with ePHI on them and EDUCATION for its Doctors on this subject through AUP could help. It is time to start taking security seriously to avoid serious consequences!