The HHS’ Office for Civil Rights (OCR) has reported a settlement with Solara Medical Supplies, LLC to settle multiple HIPAA Rules violations. Solara Medical Supplies, LLC is a direct-to-patient supplier of medical products and a subsidiary of AdaptHealth. It is known as the biggest American distributor of insulin pumps, continuous glucose monitors, and other products to patients who have diabetes, and provides Medicare partnering with over 300 insurance firms.
In November 2019, Solara Health Supplies submitted a breach notification letter to OCR concerning a phishing incident that allowed an unauthorized person to access the email accounts of eight workers from April 2019 to June 2019. Based on Solara’s investigation, the accounts included the electronic protected health information (ePHI) of 114,007 persons. Then, in January 2020, OCR received notification that while mailing the breach notification letters to the affected individuals, 1,531 letters had incorrect postal addresses. Therefore, the protected health information, particularly the demographic data of 1,531 individuals, was further compromised.
OCR looked into the data breaches to find out if Solara Medical Supplies was HIPAA Rules compliant and discovered a few potential HIPAA violations. Solara Medical Supplies violated 45 C.F.R. § 164.308(a)(1)(ii)(A) of the HIPAA Security Law when it did not perform a thorough and correct risk analysis to determine risks and vulnerabilities to the ePHI stored in its systems. It violated 45 C.F.R. § 164.308(a)(1)(ii)(B) of the HIPAA Security Law when it did not implement security measures to minimize risks and vulnerabilities to ePHI to an acceptable and appropriate level. It had two impermissible PHI disclosures, one affecting 114,007 individuals’ ePHI in a phishing incident and one affecting 1,531 individuals’ PHI in a mis-mailing incident.
OCR at the same time identified multiple HIPAA Breach Notification Rule violations, which calls for the issuance of notification letters to the HHS, the people impacted by the data breach, and media outlets within 60 days after breach discovery. Solara Medical Supplies did not issue prompt notifications to the HHS for the two breaches, did not give prompt notifications to the people impacted by the phishing breach, and failed to give prompt notification to leading media outlets regarding the phishing breach. This violates 45 C.F.R. § 164.404 and 45 C.F.R. § 164.406 of the HIPAA Breach Notification Law.
OCR gave Solara Medical Supplies the chance to settle the claimed HIPAA violations in private, and Solara Medical Supplies decided to a settlement including a payment of a $3,000,000 financial penalty and implementation of a corrective action plan that addresses all likely HIPAA violations. The corrective action plan includes:
- conducting a HIPAA-compliant risk analysis
- developing and implementing a risk management plan
- written guidelines and procedures should be developed, managed, and modified as required in compliance with the HIPAA Rules
- employee HIPAA training must be provided including awareness of new policies and procedures.
OCR will monitor compliance with the corrective action plan for two years. Solara Medical Supplies faced a lawsuit because of the data breach. Clients alleged that the company implemented inadequate cybersecurity measures to secure client information. Solara decided to resolve the class action lawsuit paying $9.76 million.
Image credit: GMeta, AdobeStock / logo©SolaraMedicalSupplies
