Sentara Hospitals to pay $2.2M HIPAA settlement for undisclosed data breaches

Security lock on computer data
Sentara mailed 577 patients’ health information to wrong addresses that included patient names, account numbers and dates of services, according to the Department of Health and Human Services. (Getty/gintas77)

Sentara Healthcare is paying a $2.175 million settlement for potential security and privacy violations

Sentara, which operates 12 hospitals in Virginia and North Carolina, also agreed to take corrective action as part of its settlement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

According to OCR, Sentara failed to notify the department of patient data breaches, in violation of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.

In April 2017, HHS received a complaint alleging that Sentara had sent a bill to an individual containing another patient’s protected health information (PHI). An investigation by OCR found that Sentara mailed 577 patients’ health information to wrong addresses that included patient names, account numbers, and dates of services. 

"Sentara reported this incident as a breach affecting eight individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred," OCR said in a press release.

RELATED: Medical imaging company to pay $3M to settle HIPAA breach impacting 300K patients

The settlement is one of the largest fines so far this year, second to the University of Rochester Medical Center's $3 million settlement for potential HIPAA violations.

A Franklin, Tennessee-based medical imaging company also agreed to a $3 million HIPAA settlement with HHS as a result of a data breach that exposed the health information of 300,000 patients.

Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so under HIPAA rules, OCR said.

The department also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.

RELATED: Jackson Health hit with $2.2M penalty for HIPAA violations including breach of NFL players' record

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed,” Roger Severino, OCR director, said in a statement. "When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

In addition to the $2.2 million settlement, Sentara will take corrective action that includes two years of monitoring its compliance with the HIPAA rules.