DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

First HIPAA enforcement action for lack of timely breach notification settles for $475,000

Posted on January 9, 2017 by Dissent

OCR has announced a settlement involving a breach that I never even reported on this site at the time and that doesn’t appear to have been in the news at the time. A quick look at HHS’s “Wall of Shame” shows two entries for the incident at issue: one entry says it was reported on January 31, 2014 as “Loss – Paper/Films.” The second entry says it was reported on April 4, 2014 as “Other – Paper/Films.” Let’s see what the press release from OCR says: 

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced the first Health Insurance Portability and Accountability Act (HIPAA) settlement based on the untimely reporting of a breach of unsecured protected health information (PHI).  Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan. Presence Health is one of the largest health care networks serving Illinois and consists of approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities. Presence also has multiple physicians’ offices and health care centers in its system and offers home care, hospice care, and behavioral health services. With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.

On January 31, 2014, OCR received a breach notification report from Presence indicating that on October 22, 2013, Presence discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.  The information consisted of the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.  OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.

So they were late by more than one month.  The press release doesn’t indicate how late they were, but the Resolution Agreement notes that notifications to individuals did not occur until February 3, 2014 (104 days post-discovery), notification to media outlets did not occur until February 5, and notification to HHS did not occur until January 31.

The Resolution Agreement also indicates that Presence explained its delay as being due to a “miscommunication between workers.” But in investigating Presence, OCR had also uncovered other breaches in which notification had not been timely made. As a result, the corrective action plan requires revision of policies and procedures for receiving and addressing reports of breaches from both internal sources and external parties.

As a tease to readers:

In the near future, Protenus will  be releasing its report on 2016 health data breaches. Their analyses includes some data on the gap between breach, discovery, and reporting, and how many entities actually comply with the 60-day of discovery timeline. Their analyses, in light of today’s resolution agreement, should make for some interesting conversations – and sweating – in C-Suites.

Update: Thanks to a reader who pointed out that I actually had covered this breach at the time. I’ve deleted part of the first sentence in light of her outstanding discovery. 🙂

Category: Breach LawsHealth DataOf NoteU.S.

Post navigation

← ESEA hacked, 1.5 million records leaked after alleged failed extortion attempt
Minneapolis settles more lawsuits over snooping in driver database →

2 thoughts on “First HIPAA enforcement action for lack of timely breach notification settles for $475,000”

  1. Katherine says:
    January 10, 2017 at 2:16 am

    I think this is really good for those of us who have been involved in some of the recent breaches but I think this is still an ongoing issue with a lot of practices.

  2. theresa defino says:
    January 24, 2017 at 2:22 pm

    You did report this.

    https://www.databreaches.net/il-presence-saint-joseph-medical-center-notifies-874-patients-after-or-schedules-go-missing/

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.