Spencer Gifts Pays $450,000 Penalty to Resolve HIPAA Failures
The national retail company Spencer Gifts LLC has agreed to a $450,000 settlement to resolve alleged violations of the HIPAA Rules that OCR identified while investigating a data breach affecting 10,023 members of its employer-sponsored group health plan (Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans).
In November 2021, staff were prevented from connecting to the company’s virtual private network. The IT issue was investigated, and the access issues were determined to be due to a ransomware attack. A threat actor had accessed the company’s network between November 24, 2021, and November 26, 2021, and used ransomware to encrypt files, including files on servers that stored plan members’ electronic protected health information (ePHI). Data exposed and potentially stolen in the incident included names, addresses, zip codes, phone numbers, email addresses, and Social Security numbers. OCR was notified about the data breach on January 24, 2022.
OCR investigates all reported breaches affecting 500 or more individuals to determine whether they were the result of HIPAA noncompliance. Under its current enforcement initiative, OCR is laser-focused on the risk analysis provision of the HIPAA Security Rule. OCR requires evidence to demonstrate that a regulated entity has conducted a thorough and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
OCR determined that Spencer Gifts had failed to conduct a HIPAA-compliant risk analysis, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Spencer Gifts was also found to have failed to implement policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules, in violation of 45 C.F.R. § 164.316(a) and 45 C.F.R. § 164.530(i)(1).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR determined that the HIPAA violations warranted a financial penalty. Spencer Gifts was informed of OCR’s determination and intention to impose a financial penalty, and the health plan was given the opportunity to settle the alleged violations informally. Spencer Gifts agreed to pay a $450,000 financial penalty and adopt a corrective action plan to address the alleged areas of noncompliance.
The corrective action plan requires Spencer Gifts to conduct a comprehensive and accurate risk analysis, review and update its HIPAA policies and procedures, distribute those policies and procedures to the workforce, and provide HIPAA training to its workforce. “Effective cybersecurity starts with Security Rule compliance, ensuring that Security Rule provisions are implemented before a cyberattack occurs,” said OCR Director Paula M. Stannard. “Regulated entities — including covered group health plans — should ensure these protections are firmly in place well before a cyberattack occurs, so the privacy and security of individuals’ health information remain safeguarded.”
This is the 20th OCR investigation of a ransomware attack resulting in a financial penalty for noncompliance with the HIPAA Rules, the 14th enforcement action under OCR’s risk analysis enforcement initiative, and the 7th HIPAA penalty to be announced this year. So far this year, OCR has collected $1,728,000 in penalties to resolve alleged violations of the HIPAA Rules from three healthcare providers, two health plans, and two business associates.
