Successive HIPAA Breaches Lead to $1.3 Million Settlement for Nation’s Largest Public Health Plan

October 5, 2023

On Sept. 11, 2023, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced that the Local Initiative Health Authority for Los Angeles County (LA Care) entered into a $1.3 million settlement agreement to resolve allegations that it violated the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). As part of the settlement, LA Care, a public health plan whose beneficiaries consist of 2.7 million Los Angeles County residents, also entered into a corrective action plan (CAP) to remedy its alleged HIPAA noncompliance.

OCR initiated an investigation of LA Care on Jan. 13, 2016, after an online article reported that the protected health information (PHI) of LA Care beneficiaries was potentially breached in January 2014. In particular, certain LA Care members, once logged into the LA Care online payment portal, could view other member’s PHI, including names, addresses and member identification numbers. On Feb. 26, 2016, after the article was published and OCR initiated its investigation, LA Care filed a breach report with OCR noting that the breach was due to a manual information processing error.

Over three years later, on March 15, 2019, LA Care filed another breach report with OCR disclosing that certain LA Care members, around Jan. 30, 2019, received identification cards intended for other members due to a mailing error. The identification cards contained PHI, resulting in a breach affecting 1,498 individuals.

The settlement indicated that LA Care’s potential HIPAA violations included the failure to conduct a risk analysis to determine risks and vulnerabilities to members’ PHI and the failure to perform periodic evaluations in response to environmental or operational changes affecting the security of PHI. While the settlement agreement and CAP do not detail what environmental or operational changes were implemented, LA Care’s website indicates that between 2014 and 2015 it (i) expanded access to 180,000 new members; (ii) launched a new online member portal; and (iii) increased members’ online access to member health information, such as prescription data.

Additional security vulnerabilities were identified as a result of the data breaches, including various instances of noncompliance with the HIPAA Security Rule. For example, OCR alleged that LA Care failed to:

  1. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  2. Implement sufficient procedures to regularly review records of information system activity.
  3. Perform periodic technical and nontechnical evaluations in response to environmental or operational changes affecting the security of PHI.
  4. Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use PHI.

Pursuant to the CAP, LA Care must conduct an enterprise-wide risk analysis to identify the vulnerabilities to PHI in its data systems, programs and online applications. LA Care also must implement HIPAA-specific policies and procedures, a risk management plan and employee trainings to address and mitigate potential security risks to PHI going forward. If LA Care does not meet the requirements set forth in the CAP, which include submitting annual reports to OCR outlining its CAP compliance status, LA Care may be liable for civil monetary penalties.

OCR’s settlement agreement and CAP demonstrate that all covered entities must comply with HIPAA, but that it is not enough to simply implement technical security safeguards. Covered entities must proactively monitor HIPAA compliance, particularly when undergoing operational changes, such as offering or expanding online access to PHI.

Furthermore, OCR stated that LA Care’s HIPAA noncompliance was “a serious concern given the size of this covered entity.” OCR’s comments indicate that covered entities that maintain a significant amount of PHI may face additional scrutiny on an organizational scale in the event of an OCR investigation. However, by periodically assessing security safeguards, running enterprise-wide risk analyses and implementing an ongoing risk management plan, covered entities can proactively remedy vulnerabilities. This approach not only reduces the risk of a data breach, but also lowers the risk that OCR will impose burdensome reporting requirements and penalties on a covered entity in the event of a breach.

McGuireWoods’ attorneys have a wealth of experience helping clients navigate HIPAA’s numerous complexities, including compliance with the Breach Notification, Privacy and Security Rules, and responding to OCR investigations. For assistance with HIPAA compliance or other data privacy and security issues, please contact one of the authors of this article.