Unprotected Health Information on Unsecured Server Leads to $75,000 Settlement with iHealth Solutions

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has settled potential violations of HIPAA Privacy and Security Rules with Kentucky-based iHealth Solutions (also known as Advantum Health). The settlement centers around a data breach in which the protected health information of 267 individuals was left unsecured on the internet, a clear violation of HIPAA rules that demand stringent protection of health information.

OCR Director Melanie Fontes Rainer emphasized the importance of HIPAA business associates protecting the privacy and security of health information they handle, ensuring it's not freely accessible on the internet.In August 2017, the OCR began investigating iHealth Solutions after receiving a breach report indicating unauthorized transfer of protected health information from their unsecured server. The compromised data included critical details such as patient names, dates of birth, addresses, Social Security numbers, email addresses, medical history, and treatment information.

OCR's investigation further unearthed potential inadequacies within iHealth Solutions' risk and vulnerability assessment related to electronic protected health information. Consequently, iHealth Solutions has paid a $75,000 penalty and agreed to a corrective action plan aimed at resolving potential HIPAA Privacy and Security Rules violations and bolstering electronic health information security.

For two years, OCR will monitor iHealth Solutions to ensure compliance with the HIPAA Security Rule. The corrective steps to be undertaken by iHealth Solutions include conducting a comprehensive analysis of its organization to identify risks and vulnerabilities to the electronic protected health information, developing a risk management plan, implementing a process to evaluate changes affecting the security of electronic protected health information, and updating their HIPAA policies and procedures.

Don't take a chance on outdated policies or documentation. Policies, employee training records and other HIPAA documents must be maintained for 6 years. HIPAA compliance doesn't have to be expensive or difficult. Please check out our HIPAA Privacy and Security Systems here.

 Further details can be accessed at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ihealth-ra-cap/index.html.