3rd Party Risk Management , Governance & Risk Management , HIPAA/HITECH

Vendor Pays $75,000 HIPAA Fine in Data Exfiltration Breach

Patient Information Left Unsecured on Network Server, HHS Says
Vendor Pays $75,000 HIPAA Fine in Data Exfiltration Breach
Federal regulators have hit iHealth Solutions, which does business as Advantum Health, with a $75,000 settlement following an investigation into a 2017 data exfiltration breach. (Image: Advantum Health)

A Kentucky-based firm that provides coding and billing services to healthcare entities has agreed to pay federal regulators a $75,000 fine and implement a corrective action plan in the wake of an exfiltration incident that compromised patient information contained in an unsecured network server.

See Also: Live Webinar | CISO Leadership Blueprint to Managing Budgets, Third-Party Risks & Breaches

The Department of Health and Human Services on Wednesday said the HIPAA settlement with iHealth Solutions, which does business as Advantum Health, involved an investigation into the 2017 incident affecting 267 individuals.

“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA-covered entities,” said Melanie Fontes Rainer, director of HHS' Office for Civil Rights.

“Effective cybersecurity includes ensuring that electronic protected health information is secure and not accessible to just anyone with an internet connection," she said.

HHS OCR initiated an investigation into iHealth in August 2017 after receiving a breach report stating that the company had experienced an unauthorized transfer of protected health information - or data exfiltration - from an unsecured server exposed to the internet, the agency said.

Compromised information included patient names, birthdates, addresses, Social Security numbers, email addresses, diagnoses, treatment information, medical procedures and medical histories, HHS OCR said.

In addition to the impermissible disclosure of PHI, OCR's investigation found a lack of evidence that iHealth had conducted a comprehensive, enterprisewide security risk analysis.

Corrective Action Plan

Under its resolution agreement with HHS, iHealth will implement a corrective action plan.

That plan includes iHealth conducting a thorough and accurate security risk analysis; developing and implementing a security risk management plan; executing a process to evaluate environmental and operational changes affecting the security of electronic PHI; and developing, maintaining and revising its written HIPAA policies and procedures.

HHS OCR also said it would monitor iHealth for two years to ensure the company's HIPAA compliance.

iHealth Says No Patient Data Lost

In a statement to Information Security Media Group, iHealth said, "No patient or client data was lost, used for nefarious reasons or negatively affected, and the time the data was exposed was limited to a few hours."

At the time of the breach, iHealth Solutions was under different leadership and was using technology that is no longer in use, the statement said. In the six years since the incident, the company has not had any HIPAA violations, complaints or fines, and it operates with "extremely high security standards," according to the statement.

"iHealth Solutions agreed to the settlement to put an end to this years-dated issue."

The settlement between HHS OCR and iHealth is the sixth HIPAA enforcement action by the agency so far in 2023. The actions add up to about $1.9 million in HIPAA fine collections.

Business associates have been implicated in about 40% of major HIPAA breaches reported to HHS OCR so far this year and are responsible for about 50% of individuals affected.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.