Sentara Hospitals was fined for $2.17 million after it failed to inform the United States government of a data breach. The Virginia-based hospital chain reportedly misreported the incident to the Department of Health and Human Services (HHS).
In line with the allegations posed against the corporation, Sentara Hospitals agreed to pay the fine. However, the company refused to admit its wrongdoings in the settlement, notes Healthcare Dive.
Apart from the settlement, the Virginia-based hospital chain agreed to enact improved training measures and corrective approaches to its system. Under these new measures, Sentara is expected to undergo monitoring for two years, says Becker’s Hospital Review.
The health system also agreed to update the Office for Civil Rights (OCR) regarding its corrective action plan for the next six years, notes Healthcare Dive. Only 2 hospitals out of the 12 branches in North Carolina and Virginia were excluded from the settlement agreement.
The data breach concerning the Sentara Hospital chain occurred in 2017. In this incident, approximately 577 individuals had been compromised, states the HHS report. The affected information includes patient names, account numbers, and dates of services.
Instead of reporting the data breach and its full extent, the healthcare system only disclosed that eight patients had been affected by the incident. The issue was brought to the attention of the United States Department of Health and Human Services in April 2017. A patient-reported the incident after receiving another patient’s protected health information (PHI).
An extensive investigation launched by the Office for Civil Rights revealed that the breach occurred when Sentera mailed documents of more than 500 patients to wrong addresses. These documents include PHI including patients, account numbers, and dates of services.
However, the company announced that the incident involves only 8 individuals. The reason for this is that Sentara assumed that the disclosure of patients’ info only constitutes reportable breaches. The HHS noted the incorrectness of this conclusion.
Moreover, HHS reported that the company failed to comply with proper guidelines even after advisements to report the breach. OCR Director Roger Severino emphasized that “HIPAA compliance depends on accurate and timely self-reporting of breaches.’ This is because “patients and the public have the right to know when sensitive information has been exposed.”
Severino also warned that health care facilities will be held accountable by OCR should they “blatantly failed to report breaches” as the Health Insurance Portability and Accountability Act (HIPAA) mandates.