Tag Archives: Settlement

Popular Music Video App Agrees to Record COPPA Settlement

Musical.ly, the popular social media app for children known as TikTok, and the FTC recently settled allegations of violations of the Children’s Online Privacy Protection Act (COPPA). The settled amount was  $5.7 million, the largest civil penalty the agency has collected for a children’s data privacy case.


The Musical.ly app allows users to make short lip-syncing videos that can be shared on the platform. Over 200 million users have downloaded the Musical.ly app worldwide, according to the FTC, with 65 million of those accounts being in the United States.


COPPA prohibits the unauthorized or unnecessary collection of children’s personal information online by internet website operators and online services, and requires that verifiable parental consent be obtained prior to the collecting, using, and/or disclosing of personal information of children under 13. Continue reading Popular Music Video App Agrees to Record COPPA Settlement

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

California-based Cottage Health agreed to pay $3 million and implement a corrective action plan as part of a HIPAA settlement to resolve allegations it had unintentionally disclosed electronic patient information. This settlement, in December 2018, brought the annual total of collections from OCR enforcement actions to $28.7 million, setting a new annual record.

Two Breaches

Cottage Health, which operates four hospitals in California, notified HHS’ OCR about two breaches of unsecured electronic protected health information (ePHI), one in December 2013 and another in December 2015, affecting more than 62,500 individuals.

The first incident occurred when the security configuration settings of the health system’s Windows operating system reportedly permitted access to files containing ePHI without requiring a username and password. As a result, patient information was available to anyone on the internet with access to Cottage Health’s server. Continue reading OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

Florida Contractor Physician Group Pays $500K in HIPAA Settlement

A Florida-based contractor physician group will pay $500,000 to settle alleged HIPAA violations after data on more than 9,000 patients was posted online.

Advanced Care Hospitalists PL (ACH), which provides internal medicine doctors to hospitals and nursing facilities, has also agreed to a corrective action plan as part of the HIPAA settlement, the Department of Health and Human Services announced.

Alleged HIPAA Violations

Between November 2011 and June 2012, ACH worked with an individual who claimed to be a representative of Doctor’s First Choice Billings Inc. for billing services. This person provided services to ACH using First Choice’s website and its branding but operated without knowledge of the Florida-based company’s owner, according to HHS.  Continue reading Florida Contractor Physician Group Pays $500K in HIPAA Settlement

OCR Announces Six-Figure HIPAA Settlement

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with Allergy Associates of Hartford, P.C., a three-physician allergy practice in Connecticut, for HIPAA Privacy Rule violations.

Alleged HIPAA Violation

According to OCR’s press release and corrective action plan, a patient of Allergy Associates contacted a reporter about a dispute between the patient and a doctor regarding the patient’s service animal. The reporter contacted the doctor for comment and the doctor was alleged to have impermissibly disclosed the patient’s protected health information to the reporter.

While the allergy practice had HIPAA policies and procedures in place, the physician did not adhere to the policies.  Further, once OCR uncovered the issue, it also found that the practice failed to sanction the physician involved in accordance with its policies. Continue reading OCR Announces Six-Figure HIPAA Settlement

OCR Announces Fourth Largest Penalty Ever

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced an Administrative Law Judge (ALJ) ruled against The University of Texas MD Anderson Cancer Center (MD Anderson) after MD Anderson suffered three breaches that disclosed the health records of about 35,000 patients. The ruling requires MD Anderson to pay $4,348,000 in civil money penalties making it the fourth largest monetary penalty in OCR’s history.

The Three Breaches

MD Anderson suffered three different data breaches in 2012 and 2013. The breaches involved the theft of an unencrypted laptop and the loss of two USB thumb drives containing the unencrypted protected health information of over 33,500 patients.

Lack of Encryption

OCR’s investigation found MD Anderson had written encryption policies dating back to 2006 but those policies were not adopted until 2011 and, even then, MD Anderson did not encrypt all of its electronic devices as evidenced by the breaches in 2012 and 2013.  Furthermore, MD Anderson’s own risk analyses recognized that the lack of device-level encryption posed a high risk to the security of ePHI. Continue reading OCR Announces Fourth Largest Penalty Ever

Nationwide Agrees to Settle Breach Investigation for $5.5 Million

Nationwide settled their 2012 data breach investigation with 32 state attorneys general to the tune of $5.5 million. The settlement includes several security practices Nationwide is required to incorporate going forward.

Breach Background

Nationwide suffered a breach in October 2012 leading to the unauthorized access and exfiltration of personal information of 1.2 million customers and other consumers. Compromised information included: Names, Social Security numbers, driver’s license numbers, credit scoring data, and other data used to provide consumers with insurance quotes.

The attorneys general investigation alleged Nationwide failed to apply a critical security patch that was released in 2009. As a result, hackers leveraged the vulnerability in Nationwide’s web application hosting software to steal the data.

Settlement Terms

Under the settlement, Nationwide is tasked with updating their patch management process, along with hiring an individual to manage the procedures for security updates.

In the next three years, Nationwide must:

  • Maintain an inventory of all systems processing personal information and the updates and patches applied to them
  • Maintain tools to scan systems processing personal information for common vulnerabilities
  • Perform internal assessments of its patch management process semi-annually, and have an independent party perform an annual audit of the patch management process

Anthem Settles Massive Breach Case for $115 Million

Anthem agreed to a $115 million settlement on their pending data breach class action lawsuit based on the infamous 2015 cyberattack impacting 78.8 million individuals. If approved by a judge, this settlement agreement would represent the largest in data breach history.

Settlement Details

The settlement proposed requires Anthem to establish a $115 million settlement fund. The fund will:

  • Provide data breach victims with at least two years of credit monitoring,
  • Cover out-of-pocket expenses incurred by consumers from the data breach, and
  • Provide cash compensation for consumers already enrolled in credit monitoring.

Anthem is additionally required to allocate funding for information security. Specific data security improvements required include encryption for certain types of information, along implementation of strict access controls for sensitive data.

The Plaintiffs’ Counsel statement notes the settlement will help to protect class members from future risk while providing compensation for the previous breach.

This settlement comes on the heels of a report issued in January by seven state insurance commissioners following their investigation of the breach. The investigation noted a phishing email from an unnamed nation-state was the root cause of the breach.

Key Takeaways

  • Establishing Precedent: The Anthem case could hold a lot of weight for data breach litigation.
  • Plaintiff Foothold: Where other cases have failed due to lack of standing (Barnes & Noble) or resulted in low settlement amounts (Target), the Anthem case seems like a win for the plaintiff side.
  • Raising the Stakes: The $115 million price tag on the Anthem case will likely spur attorneys to push for higher settlement amounts in data breach cases.
  • New Non-Monetary Requirements: In addition to monetary demands, Plaintiffs are looking for the breached entity to resolve the issues leading to the breach. In this case, Anthem is forced to improve their information security practices and address the root cause of the attack.

Mishandling HIV Information Costs Hospital $387,000

St. Luke’s hospital came under fire after faxing two patients’ sensitive medical information against their request.

The Office for Civil Rights (OCR) reached a settlement with St. Luke’s-Roosevelt Hospital Center over violations of HIPAA’s Privacy Rule related to impermissible disclosure of protected health information (PHI).

Who is St. Luke’s?

According to the OCR press release, St. Luke’s-Roosevelt Hospital Cetner Inc. (St. Luke’s) operates the Institute for Advanced Medicine, formerly Spencer Cox Center for Health, which provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases. St. Luke’s is 1 of 7 hospitals that comprise the Mount Sinai Health System.

Data Breach Details

OCR received an initial complaint in 2014 regarding impermissible disclosure of patient health information by the staff at Spencer Cox Center.

OCR launched an investigation, finding the Spencer Cox Center staff faxed the patient’s PHI directly to his employer, and not his personal post office box as he requested.

Information disclosed included highly sensitive medical information: HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse.

Through the OCR investigation of this event, they discovered Spencer Cox Center was also responsible for a related breach of sensitive information and took no action to address the apparent issue. In the related breach nine months prior, staff faxed PHI of another patient (against their expressed instructions) to an office where the patient volunteered.

Settlement Details

The settlement includes a $387,000 penalty for St. Luke’s, along with a corrective action plan.

The corrective action plan includes several remediation steps:

  • Revise and distribute written policies and procedures concerning the uses and disclosures of PHI (mail, fax, or email), and update them annually
  • Revise and distribute training materials to include instruction on safeguarding PHI

Key Takeaways

For a case that involves the PHI of only two individual patients, this might seem like a heavy assessment by OCR. This high settlement amount conveys OCR’s focus on two areas in this case: 1) penalty proportionate to sensitivity of information and 2) penalty for avoidance of addressing compliance issues.

The settlement amount clearly reflects the sensitive nature of the patient’s information disclosed. The high penalty also addresses the avoidance of initial vulnerabilities. Had the Spencer Cox Center addressed issues within their compliance program during the initial breach, the procedures and policies would be in place to mitigate future events and prevent these types of impermissible disclosure.

It is no surprise to see OCR targeting a case with minimal individuals impacted. OCR noted last year they would start focusing more on smaller breaches. With this example, we see that OCR has been true to their word. We also reported on a $2.4 million penalty earlier in May for an incident involving only one patient’s information.

UK Company Gets into Snafu over Direct Marketing Emails

Direct marketing emails can quickly get a company into trouble. Two companies in the UK found themselves on the wrong end of compliance with the Privacy and Electronic Communications Regulations 2003 (PECR).

The Information Commissioner’s Office (ICO), tasked with enforcing PECR, recently issued a fine against Flybe and Honda for violating the direct marketing provisions under the regulations.

Flybe Case

Flybe is a regional airline carrier based in Exeter.

In August 2016, Flybe sent out emails with the subject: “Are your details correct?” The email requested recipients to amend any out-of-date information and update their marketing preferences. It also enticed participants to update their preferences to be entered for a prize drawing.

After a complaint to the ICO by an email recipient, an ICO investigation ensued and found that Flybe sent emails to 3.3 million customers who explicitly opted out of direct marketing from the airline company.

ICO fined Flybe £70,000 for their violations of the direct marketing provisions under PECR.

Honda Case

ICO issued a similar fine against Honda on the same day for £13,000.

Honda similarly sent almost 300,000 emails asking customers to clarify their marketing preferences. Without direct evidence to show whether the recipients consented to direct marketing, Honda violated PECR.

Again, the ICO found the emails in violation of PECR. The fine assigned is significantly lower that Flybe’s due to the smaller size of emails involved. The comparison of Honda’s negligence with Flybe’s deliberate noncompliance is also relevant when reflecting on the disparaging fine amounts

ICO Reflections

ICO made several assertions regarding the two cases and the subject of direct marketing under PECR.

Steve Eckersley, ICO Head of Enforcement, confirmed that emails asking recipients if they want to change any marketing preferences are themselves marketing emails… not customer service emails. And thus, they are subject to the rules of PECR.

Further, any company sending these types of emails to customers who opted out of marketing emails are in violation of PECR.

In providing a solution for compliance, ICO referenced their recently

Key Takeaways

Interestingly enough, the violating companies were supposedly preparing for compliance under the GDPR for provisions related to consumer consent.

As the effective date for GDPR is approaching, expect to see more companies over the next year’s countdown looking for clever ways to comply with the consent requirements. Many companies with a presence in the UK will face similar dangers, like those impacting Honda and Flybe.

We’ve seen related issues with marketing emails in Canada as well. As we noted here, Canada’s law opens up to private right of action starting July 1st.

Companies should use caution when preparing for GDPR compliance or cleansing their marketing lists. Remember:

Don’t break one law in order to follow another…

$2.4 Million HIPAA Penalty for Disclosing One Patient’s Name

The Office for Civil Rights (OCR) announced a curious settlement with Memorial Hermann Health Systems (MHHS) last week after an OCR compliance review. The review found impermissible disclosure of a single patient’s PHI… leading to a $2.4 million whooper of a fine.

Who is MHHS?

Memorial Hermann Health Systems is a Houston-based, non-profit healthcare system. Their services include 16 hospitals and specialty service centers.

Breach Details

In September 2015, office staff at an MHHS clinic were presented a patient’s allegedly fraudulent identification card.

The staff immediately contacted law enforcement and the patient was arrested.

This disclosure of information was allowed under HIPAA’s Privacy Rule. Covered entities are permitted to disclose information to law enforcement for the purpose of aiding in an investigation.

However, a media response by MHHS subsequently disclosed the same PHI. Senior management approved this impermissible disclosure and even added the patient’s name to the headline of the press release.

Despite the previous law enforcement exception, this new impermissible disclosure qualified as a violation under HIPAA’s Privacy Rule.

OCR’s new Director Roger Severino commented, “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

OCR also notes in their findings from the compliance review that MHHS failed to document the sanctioning of its workforce members for the press release incident.

Settlement Details

The focal point of the OCR / MHHS settlement is the hefty $2.4 million penalty. Some industry experts are surprised to see such a large fine here, given the disclosure was a single piece of PHI.

A few factors might have contributed to the size of the penalty:

  • The nonchalant attitude from management regarding patient privacy and PHI disclosures
  • The failure to apply sanctions to staff in the aftermath of the disclosure
  • The larger size of the healthcare system

The settlement also included a corrective action plan. The compliance measures on MHHS’ to-do list include:

  • Updating policies and procedures on safeguarding PHI from impermissible disclosures
  • Training workforce members on the policies and procedures
  • Confirming their understanding of permissible disclosures of PHI, including to the media

Key Takeaway

OCR is sending the message loud and clear: Covered entities need to use proper discretion according to the Privacy Rule when disclosing patient information.

If your organization is questioning whether a use or disclosure of patient information is permissible under HIPAA, reach out and validate with our Cybersecurity team.

If you’d like assistance, send us a note and brief explanation to cyberteam@eplaceinc.com and we’ll help guide you in the right direction.

Additional Notes

If you’re following along with us and keeping tally, this marks the 8th HIPAA enforcement action in 2017. Those enforcement actions have netted the OCR a grand total of $17 million in penalties.

This particular data breach reminds us of a case we reported on last year. New York Presbyterian Hospital found themselves in a similar conundrum when mixing media and patient privacy. You can read that article here.