Although HHS OCR generally fails to take a hard enforcement line with reporting breaches by the “no later than 60 day” rule in HIPAA, state attorneys general may enforce even stricter deadlines. Read this press release:
December 27 — Oregon Attorney General Ellen Rosenblum and Utah Attorney General Sean Reyes announced they’ve settled a data breach enforcement case against Avalon Healthcare Management. It is part of the Avalon Health Care Group that provides skilled nursing, therapy, senior living/assisted living and other medical services in six states, including Oregon and Utah.
The $200,000 settlement stems from a 2019 data breach that exposed the personal information and protected health information of 14,500 Avalon employees and patients, including 1,649 Oregonians. Oregon will receive $100,000.
In July 2019, a scammer gained access to an Avalon employee’s email account after the employee fell victim to a phishing scam. The breach included names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, including diagnosis, health conditions, and/or medications, and limited financial information.
Approximately 10 months after the breach Avalon notified those impacted by the breach and reported it to federal and state regulators, including the Oregon Department of Justice. A joint investigation ensued, focusing on Avalon’s email security practices and compliance with the Health Insurance Portability and Accountability Act (HIPAA) and state breach notification statutes. Under Oregon law, a company should give notice of a breach of security in the most expeditious manner, but no more than 45 days after discovering the breach of security.
“Companies, like Avalon, that retain consumers’ protected health information, have a duty to keep this data safe from unauthorized access,” said Attorney General Rosenblum. “Avalon dealt with the personal health-related information of some of our most vulnerable residents. Close to 2000 Oregonians assumed—incorrectly—their information was safe with Avalon. Data breaches continue to be a problem in Oregon, and we are committed to working with companies to make sure they have the highest data privacy safeguards in place.” AG Rosenblum also thanked her team at the Oregon Department of Justice, including Assistant Attorney General Kristen Hilton in the Consumer Protection Section, for working on this important case.
In addition to the $200,000 settlement, Avalon will develop and maintain several data security practices designed to strengthen its information security program and safeguard the personal information of employees and patients.
For more information on reporting a data breach to the Oregon Department of Justice visit:
https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/
Read the settlement here.
DataBreaches had highlighted this incident back in 2020, here. Did HHS ever take any action? I cannot even find the incident on HHS’s breach tool although it was there in February 2020. Is HHS still investigating?