Sentara Hospitals to pay $2.2M HIPAA settlement for undisclosed data breaches

Security lock on computer data
Sentara mailed 577 patients’ health information to wrong addresses that included patient names, account numbers and dates of services, according to the Department of Health and Human Services. (Getty/gintas77)

Sentara Healthcare is paying a $2.175 million settlement for potential security and privacy violations

Sentara, which operates 12 hospitals in Virginia and North Carolina, also agreed to take corrective action as part of its settlement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

According to OCR, Sentara failed to notify the department of patient data breaches, in violation of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.

Webinar

Curating a Higher Level of Personalized Care: Digital Health + Mom

A long-term digital health strategy is needed to respond to the technology demands of the modern patient while thriving as an independent hospital in a fiercely competitive market. In this webinar, Overlake and one of its digital health partners, Wildflower Health, will discuss how Overlake has approached digital health and why it chose to focus early efforts on expectant moms within its patient population.

In April 2017, HHS received a complaint alleging that Sentara had sent a bill to an individual containing another patient’s protected health information (PHI). An investigation by OCR found that Sentara mailed 577 patients’ health information to wrong addresses that included patient names, account numbers, and dates of services. 

"Sentara reported this incident as a breach affecting eight individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred," OCR said in a press release.

RELATED: Medical imaging company to pay $3M to settle HIPAA breach impacting 300K patients

The settlement is one of the largest fines so far this year, second to the University of Rochester Medical Center's $3 million settlement for potential HIPAA violations.

A Franklin, Tennessee-based medical imaging company also agreed to a $3 million HIPAA settlement with HHS as a result of a data breach that exposed the health information of 300,000 patients.

Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so under HIPAA rules, OCR said.

The department also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.

RELATED: Jackson Health hit with $2.2M penalty for HIPAA violations including breach of NFL players' record

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed,” Roger Severino, OCR director, said in a statement. "When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

In addition to the $2.2 million settlement, Sentara will take corrective action that includes two years of monitoring its compliance with the HIPAA rules.

Suggested Articles

Average list prices for the most common specialties associated with surprise medical bills outpaced growth for all other specialties, analysis finds.

Medicare Advantage rebates to plans are expected to reach historic highs next year, MedPAC analysis finds.

The VA launched the National Artificial Intelligence Institute to prioritize AI R&D to improve veterans' health and public health initiatives.