HIPAA Breaches: Size Doesn't Necessarily Matter

August 30, 2016 Advisory

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) made headlines this month with a record $5.55 million HIPAA settlement reached with Advocate Health Care System, Illinois’ largest health care system with 12 acute care hospitals. That settlement dealt with three different data breaches that compromised more than four million individual patient records. 

Since announcing the Advocate settlement, the OCR has made a special effort to let the health care world know that neither a smaller-sized breach nor a smaller-sized organization will be protected from OCR scrutiny. The OCR announced a new initiative giving special attention to smaller breaches – i.e. those involving protected health information (PHI) of fewer than 500 individuals. In its August 18 announcement, the OCR advised that its regional offices will increase their efforts "to identify and obtain corrective action to address entity and systemic noncompliance" related to smaller breaches. 

The OCR’s announcement regarding its new "smaller-sized" breach initiative referred to the following “recent” settlements involving smaller reported breaches:

  • Hospice of Northern Idaho – $50,000 settlement in 2013 as a result of 2010 theft of unencrypted laptop computer from an employee’s car, with electronic PHI (ePHI) of 441 individuals. 
  • QCA Health Plan of Arkansas – $250,000 settlement in 2014 following a 2012 theft of unencrypted laptop computer from an employee’s car, with ePHI of 148 individuals. 
  • St. Elizabeth’s Medical Center– $218,400 settlement in 2015. Massachusetts hospital’s 2012 report of workforce members using an Internet-based document sharing application to store ePHI of at least 498 individuals plus 2014 breach of ePHI on a former workforce member’s personal laptop and USB flash-drive. 
  • Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) – $650,000 settlement in July 2016 after theft of unencrypted iPhone of employee, with ePHI from 412 residents of six nursing homes for which CHCS was providing management and information technology services. 

One of the most frequent risk factors for special attention from the OCR is that the organization failed to assess its risks – particularly with unencrypted ePHI on mobile devices – and to adopt reasonable precautions. It’s also clear from recent settlements and the recent “no break for small breaches” announcement that the OCR is looking closely at breaches involving IT system intrusions (e.g., hacking) and those involving business associates’ activities. 

Monetary settlements announced in connection with OCR settlements are frequently dwarfed by the costs of the accompanying mandated corrective actions, and by the costs to reputation and disruptions to operations that accompany a data breach. Giving attention now to risk analysis and preventative measures, and to contracts with business associates, can greatly reduce the significant risks organizations face.

Contact Us
  • Worldwide
  • Denver, CO
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • New York, NY
  • Philadelphia, PA
  • St. Louis, MO
abstract image of world map
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Jefferson City, MO
3405 W. Truman Boulevard
Suite 210
Jefferson City, MO 65109
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
3770 Howard Hughes Parkway
Suite 200
Las Vegas, NV 89169
Google Maps
Las Vegas, Nevada
New York, NY
919 Third Ave., 37th Floor
New York, NY 10022
Google Maps
New York City
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri