iHealth Solutions settles HIPAA violation charges

Image via Unsplash

iHealth has settled with the Office for Civil Rights (OCR) over potential Health Insurance Portability and Accountability Act (HIPAA) privacy violations. The settlement involved a data breach, where a network server containing the protected health information of 267 individuals was left unsecure on the internet. The HIPAA Privacy, Security and Breach Notification Rules set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

OCR initiated an investigation of iHealth Solutions in 2017 following the receipt of a breach report stating that iHealth Solutions had experienced an unauthorized transfer of protected health information, known as exfiltration, from its unsecured server. The protected health information included patient names, dates of birth, addresses, Social Security numbers, email addresses, diagnoses, treatment information, medical procedures and medical histories. In addition to the impermissible disclosure of protected health information, OCR’s investigation found evidence of the potential failure by iHealth Solutions to have in place an analysis to determine risks and vulnerabilities to electronic protected health information across the organization.

iHealth Solutions has paid $75,000 to OCR and agreed to implement a corrective action plan, which identifies steps iHealth Solutions will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of electronic protected health information. Under the terms of the settlement agreement, iHealth Solutions will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule. iHealth Solutions has also agreed to take the following steps:

Conduct an accurate and thorough analysis of its organization to determine the possible risks and vulnerabilities to the electronic protected health information it holds.
Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities to the confidentiality, integrity and availability of its electronic protected health information.
Implement a process to evaluate environmental and operational changes that affect the security of electronic protected health information.
Develop, maintain and revise, as necessary, its written HIPAA policies and procedures.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.