Solara Medical Supplies Pays $3M to Settle Alleged HIPAA Security and Breach Notification Rule Violations
The HHS’ Office for Civil Rights (OCR) has announced that a settlement has been reached with a direct-to-patient distributor of medical products to resolve multiple violations of the HIPAA Rules. Solara Medical Supplies, LLC, a subsidiary of AdaptHealth, claims it is the largest American supplier of continuous glucose monitors, insulin pumps, and other supplies to patients with diabetes, and is a Medicare provider that partners with more than 300 insurance providers.
Solara Medical Supplies sent a breach notification to OCR in November 2019 about a phishing incident that led to the email accounts of eight employees being accessed by an unauthorized individual between April 2019 and June 2019. Solara’s investigation confirmed the accounts contained the electronic protected health information (ePHI) of 114,007 individuals. Then, in January 2020, OCR was notified that while sending breach notification letters about that incident, 1,531 letters were sent to incorrect mailing addresses, resulting in a further breach of the protected health information (PHI) – demographic information – of 1,531 individuals.
OCR investigated the data breaches to determine whether Solara Medical Supplies was compliant with the HIPAA Rules and identified several potential HIPAA violations. Solara Medical Supplies had not conducted a comprehensive and accurate risk analysis to identify risks and vulnerabilities to all ePHI contained in its systems, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Security measures had not been implemented to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B) of the HIPAA Security Rule, and there were two impermissible disclosures of PHI, one involving the ePHI of 114,007 individuals (the phishing incident) and the other involving the PHI of 1,531 individuals (the mis-mailing incident).
OCR also found multiple violations of the HIPAA Breach Notification Rule, which requires notification letters to be issued to the HHS, prominent media outlets, and the individuals affected by the data breach within 60 days of the discovery of the breach. Solara Medical Supplies failed to issue timely notifications to the HHS for both breaches, did not provide timely notifications to the individuals affected by the phishing breach, and did not issue a timely notification to prominent media outlets about the phishing breach, in violation of 45 C.F.R. § 164.404 and 45 C.F.R. § 164.406 of the HIPAA Breach Notification Rule.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR gave Solara Medical Supplies the opportunity to resolve the alleged HIPAA violations informally, and Solara Medical Supplies agreed to a settlement that includes a $3,000,000 financial penalty and a corrective action plan that requires all potential HIPAA violations to be addressed. Specifically, a HIPAA-compliant risk analysis must be conducted; a risk management plan must be developed and implemented; written policies and procedures must be developed, maintained, and revised as necessary to comply with the HIPAA Rules; those policies must be distributed to all workforce members; and Solara Medical Supplies must augment its existing HIPAA and Security Training Program, including providing training to the workforce on the new policies and procedures. Compliance with the corrective action plan will be monitored by OCR for 2 years. Solara Medical Supplies was sued over the data breach, with customers alleging insufficient cybersecurity measures had been implemented to protect customer data. Solara opted to settle the class action lawsuit for $9.76 million.
“Cyberattacks have skyrocketed exponentially in recent years. Effective cybersecurity requires identifying potential risks and vulnerabilities to health information and implementing effective security measures to protect against them,” said OCR Director Melanie Fontes Rainer. “Health care entities that fail to address identified cybersecurity issues leave themselves vulnerable to cyberattacks. OCR urges health care entities to prioritize securing their information systems and take all necessary steps to reduce and prevent cyberattacks and safeguard protected health information.”
2024 was a busy year of HIPAA enforcement by OCR, with 22 enforcement actions resulting in settlements or civil monetary penalties. The most commonly identified HIPAA violation was the failure to conduct a HIPAA-compliant risk analysis covering all ePHI and all systems that touch ePHI.
