L.A. Care must pay $1.3M settlement over data breaches that violated HIPAA: HHS

L.A. Care, the country's largest public operated health plan, has reached a $1.3 million settlement with the feds to settle potential Health Insurance Portability and Accountability Act (HIPAA) violations linked to data breaches.

In addition, it must fix systemic and technical problems that led to the breaches, which may have compromised patient information protected under HIPAA, according to Department of Health and Human Services’ (HHS') Office for Civil Rights (OCR).

L.A. Care provides coverage for about 2.9 million people in Medicaid, Medicare and Affordable Care Act plans—people described by OCR Director Melanie Fontes Rainer as some of the most vulnerable in Los Angeles County.

Rainer said in an announcement today that “breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA rules. HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.”

HIPAA’s privacy, security and breach notification rules must be followed as a way to secure protected health information.

The settlement and corrective action plan said the settlement concerns two separate data breaches. L.A. Care reported to OCR that in late January 2019, a plan member received identification cards for other members, and a subsequent investigation revealed that a mailing error caused cards to be mailed to wrong address. The breach affected 1,498 members.

The other incident had been brought to light on March 3, 2014, by an online media outlet, which the settlement doesn’t identify. The outlet reported that in January 2014 some L.A. Care members who logged into their payment portal were able to see other members’ names, addresses and member identification numbers. That affected about 500 individuals. Upon investigating, OCR found that L.A. Care:

  • Did not have procedures in place for the regular review of information system activity
  • Did not have the proper mechanisms in place that would allow it to record and review information system activity
  • Had not installed reasonable and appropriate security measures that could effectively reduce risk of a data breach
  • Did not perform periodic technical and nontechnical evaluations after environmental and operational changes had been made

Under a comprehensive corrective action plan, L.A. Care must:

  • Create and install a risk management plan to identify problems that may lead to compromises in the availability, confidentiality and integrity of online patient information
  • Tell HHS about any failure among employees to comply with HIPAA rules within 30 days
  • Tell HHS about any evaluations L.A. Care does of environmental or operational changes that might affect the security of patient information
  • Do a risk analysis to search for any problems it may have concerning vulnerabilities to data systems throughout the company
  • Create policies and procedures for risk analysis and distribute them to employees

This is not the first time L.A. Care has found itself in hot water over the way it conducts business. In March, California healthcare officials fined the plan $55 million for numerous violations that occurred between January 2019 and October 2021.

Those violations included the improper response to member grievances, failure to process requests for authorization and not effectively overseeing contracted vendors to make sure members had timely access to care.