The Department of Health and Human Services’ Office of Civil Rights has fined a revenue cycle management company $75,000 for a data breach that compromised the personal information of 267 individuals.
A copy of the resolution agreement and the corrective action plan against iHealth Solutions can be accessed by clicking here.
Back in 2017, iHealth notified Health & Human Services of a data breach after it noticed that the protected health information of individuals — including the patient names, dates of birth, addresses, Social Security numbers, email addresses, diagnoses, treatment information, medical procedures, and medical histories — had been transferred from an unsecure network server.
HHS conducted an investigation and found that iHealth did not conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the protected information, as required under the Health Insurance Portability and Accountability Act.
As a result of the breach, iHealth has agreed to pay a fine of $75,000 and agree to a corrective action plan. The plan requires iHealth to conduct a risk analysis of its potential security risks and vulnerabilities for all of its facilities, and then provide HHS with a statement of work for the analysis. The company must also develop and implement a risk management plan to address and mitigate any risks that are identified in the risk analysis and submit that plan to HHS. It must also update its policies and procedures, specifically those related to the Privacy Rule, the Security Rule, and the Breach Notification Rule.
“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA covered entities,” said OCR Director Melanie Fontes Rainer, in a statement. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”