Data Privacy
,
Data Security
,
Healthcare
Settlement Is 5th HIPAA Enforcement Action Under HHS’s OCR Risk Analysis Initiative
An Illinois-based firm that provides fitness and wellness plans to clients throughout the U.S. has agreed to pay federal regulators a settlement of nearly $228,000 and implement a corrective action plan following an IT misconfiguration incident caused several breaches in late 2018 and early 2019.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
The settlement resolves a U.S. Department of Health and Human Services’ Office for Civil Rights investigation into Health Fitness, which the agency initiated after receiving four breach reports from the company – filed as a business associate on behalf of multiple covered organizations – between Oct. 15, 2018 and Jan. 25, 2019.
The settlement with Health Fitness is HHS OCR’s fifth enforcement action involving its risk analysis initiative launched in 2024, in which the agency is shining a brighter spotlight on the persistent weaknesses of many HIPAA regulated entities in conducting timely and comprehensive HIPAA security risk analysis.
“Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information,” said Anthony Archeval, OCR acting director in a statement Friday. “Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure.”
HHS OCR said Health Fitness reported that beginning approximately in August 2015 a software server misconfiguration resulted in electronic protected health information becoming exposed to automated search devices, or web crawlers, and discoverable on the internet.
Health Fitness found the breach on June 27, 2018. “Health Fitness initially reported that approximately 4,304 individuals were affected and later estimated that the number of individuals affected may be lower,” HHS OCR said.
The agency said its investigation in the incident determined that Health Fitness had failed to conduct an accurate and thorough risk analysis until Jan. 19, 2024, to identify potential risks and vulnerabilities to the ePHI held by Health Fitness.
In addition to the financial settlement, Health Fitness in its resolution agreement with HHS OCR also agreed to implement a corrective action plan that includes:
- Annually reviewing and updating its HIPAA security risk analysis;
- Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
- Implementing a process for evaluating environmental and operational changes that affect the security of ePHI; and
- Developing, maintaining and revising written policies and procedures to comply with the HIPAA privacy, security and breach notification rules.
HHS OCR said it will monitor Health Fitness’ corrective action plan for two years.
Health Fitness is one of several subsidiaries that were acquired and that is now owned and managed by Lake Forest, Ill.-based Trustmark Mutual Holding Co.
Trustmark did not immediately respond to Information Security Media Group’s request for comment on the Health Fitness settlement with HHS OCR.
Besides the settlement with Health Fitness falling under HHS OCR’s risk analysis enforcement initiative, the agency also previously took action against at least one other HIPAA-regulated firm for a separate breach also involving an IT misconfiguration.
A 2019 IT misconfiguration breach that exposed personal health information of nearly 1.6 million patients on the web led to Inmediata, a Puerto Rico-based clearinghouse, paying a $250,000 financial settlement with HHS OCR for multiple potential HIPAA violations (see: Clearinghouse Pays $250K Settlement in Web Exposure Breach).