New HHS-OIG Exclusions
The Department of Health and Human Services Office of Inspector General (HHS-OIG) has announced new additions to its List of Excluded Individuals and Entities (LEIE). The LEIE, often referred to as the HHS-OIG exclusion list, is a centralized registry for individuals and entities that have been prohibited from participating in federally funded healthcare programs, including Medicare and state healthcare programs. There are mandatory exclusions for individuals and entities convicted of criminal offenses such as Medicare or Medicaid fraud, patient abuse or neglect, and for felony convictions for other health care-related fraud, theft, or other financial misconduct, and felony convictions related to the unlawful manufacture, distribution, prescription, and dispensing of controlled substances. HHS-OIG also has the authority to exclude individuals and entities on other grounds, termed permissible inclusions. Reasons for permissive inclusions include misdemeanor convictions, engaging in unlawful kickbacks, suspension or revocation of a healthcare license, and defaulting on health...
Multi-million-dollar Settlement Agreed to Resolve MCNA Dental Data Breach Lawsuit
A settlement has been agreed to resolve class action data breach litigation against Managed Care of North America (MCNA), Inc., and MCNA Insurance Company, doing business as MCNA Dental and Healthplex, Inc. The companies were sued in response to a massive data breach in 2023 that affected almost 9 million individuals. In March 2023, the defendants identified unauthorized access to the MCNA network. The LockBit ransomware group was behind the attack and first gained access to the network on February 22, 2023. Access was maintained until March 7, 2023, when ransomware was used to encrypt files. Prior to file encryption, sensitive data was exfiltrated from the network, including personal and protected health information (PHI). MCNA Dental is one of the largest providers of government-sponsored dental benefits to children through state Medicaid and Children’s Health Insurance Programs, and stores a vast amount of PHI. The investigation determined that the ransomware group accessed or exfiltrated the PHI of 8,923,662 individuals, including names, contact information, Social Security...
Spencer Gifts Pays $450,000 Penalty to Resolve HIPAA Failures
The national retail company Spencer Gifts LLC has agreed to a $450,000 settlement to resolve alleged violations of the HIPAA Rules that OCR identified while investigating a data breach affecting 10,023 members of its employer-sponsored group health plan (Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans). In November 2021, staff were prevented from connecting to the company’s virtual private network. The IT issue was investigated, and the access issues were determined to be due to a ransomware attack. A threat actor had accessed the company’s network between November 24, 2021, and November 26, 2021, and used ransomware to encrypt files, including files on servers that stored plan members’ electronic protected health information (ePHI). Data exposed and potentially stolen in the incident included names, addresses, zip codes, phone numbers, email addresses, and Social Security numbers. OCR was notified about the data breach on January 24, 2022. OCR investigates all reported breaches affecting 500 or more individuals to determine whether they were the result of HIPAA...
HIPAA Violation Fines
HIPAA violation fines can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general for failing to comply with HIPAA regulations. In this article, we provide a detailed explanation of HIPAA violation fines that have been imposed on HIPAA-regulated entities found to have violated the HIPAA Rules. You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full compliance. Please use the form on this page to arrange for your copy. The Majority Of HIPAA Violation Fines are from Settlements In the majority of cases, covered entities and business associates accept that there have been potential failures to comply with certain elements of HIPAA Rules, a settlement amount is agreed, and the case is resolved with no admission of liability. In addition to the settlement, a corrective action plan is issued to address the HIPAA failures. HIPAA-covered entities and business associates may disagree with the findings of the investigation and challenge the decision to...
HIPAA Violation Cases: Types & Consequences
HIPAA violation cases are compliance investigations that result from a data breach being reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) or a privacy complaint being submitted to OCR via the complaints portal. When OCR identifies a violation of HIPAA, violation cases can be resolved in multiple ways. OCR may choose to take no action if the HIPAA-regulated entity has identified and voluntarily corrected the HIPAA violation. If the HIPAA violation is not severe, OCR often chooses to provide technical assistance to help the regulated entity correct the violation. When there has been a serious violation of the HIPAA Rules or evidence is found suggesting widespread noncompliance, OCR may initiate a more extensive review. Serious violations are sometimes resolved with a financial penalty. OCR will notify the regulated entity about the findings of the investigation and typically gives the regulated entity an opportunity to settle the alleged violations informally. These settlements involve a reduced financial penalty and generally include...



