The HHS Office for Civil Rights reported nine HIPAA settlements during 2017, resolving allegations against health systems, insurance providers and remote monitoring companies.
Here are the nine fines, beginning with the costliest settlement deal.
1. Memorial Healthcare System pays $5.5M HIPAA settlement
Hollywood, Fla.-based Memorial Healthcare System reported to HHS that unauthorized employees had accessed the protected health information of 115,143 individuals and disclosed it to an affiliated physician office staff. The accessed data included patients' names, Social Security numbers and dates of birth.
2. Children's Medical Center of Dallas pays $3.2M for lack of HIPAA compliance
In July 2013, Children's Medical Center of Dallas filed a report that underscored the theft of an unencrypted laptop from its premises. The laptop contained 2,462 patients' ePHI and was stolen between April 4, 2013, and April 9, 2013.
3. CardioNet agrees to $2.5M HIPAA settlement
CardioNet reported the theft of a workforce member's laptop containing data related to 1,391 individuals in January 2012. The company provides remote mobile monitoring to patients at risk for cardiac arrhythmias, marking the first HIPAA settlement involving a wireless health services provider.
4. Memorial Hermann agrees to $2.4M HIPAA settlement
In September 2015, a patient presented a reportedly fraudulent identification card to office staff at one ofHouston-based Memorial Hermann Health System's clinics. Following the incident, Memorial Hermann issued a news release, which included the patient's name in its headline.
5. Puerto Rico life insurance company to pay $2.2M HIPAA settlement
On Sept. 29, 2011, MAPFRE filed a report with the OCR claiming a USB device was left in its IT department unguarded overnight and was subsequently stolen. The USB device contained the ePHI of 2,209 patients, including their complete names, dates of birth and Social Security numbers.
6. Presence Health to pay $475k HIPAA settlement fine
On Oct. 22, 2013, the health system discovered operating room schedules were missing from the Presence Surgery Center at Joliet, Ill.-based Presence St. Joseph Medical Center. The schedules contained personal information of 836 patients, including names, birthdates and types of procedures.
7. Metro Community Provider Network agrees to $400k HIPAA settlement
Englewood, Colo.-based Metro Community Provider Network, a federally-qualified health center, filed a breach report Jan. 27, 2012 after a hacker accessed employee email accounts and obtained 3,200 individuals' PHI. An investigation found MCPN failed to conduct a risk analysis until mid-February 2012.
8. Mount Sinai St. Luke's agrees to $387k HIPAA settlement after 'careless' disclosure of HIV status
In its investigation, OCR found a staff member from New York City-based Mount Sinai St. Luke's inappropriately faxed a patient's PHI to his employer, rather than delivering it to a post office box. OCR also discovered the center was responsible for a related privacy breach nine months prior.
9. Center for Children's Digestive Health agrees to $31k HIPAA settlement
FileFax stored records for the Park Ridge, Ill.-based Center for Children's Digestive Health, some of which contained protected health information. Although the center began storing records with Filefax in 2003, neither party could produce a signed business associate agreement prior to Oct. 12, 2015.