Successive HIPAA Breaches Lead To $1.3 Million Settlement For Nation’s Largest Public Health Plan – Healthcare

06 October 2023

McGuireWoods LLP

To print this article, all you need is to be registered or login on

On Sept. 11, 2023, the U.S. Department of Health and Human
Services’ Office for Civil Rights (OCR) announced that the Local Initiative Health
Aut،rity for Los Angeles County (LA Care) entered into a $1.3
million settlement agreement to resolve allegations
that it violated the Health Insurance Portability and
Accountability Act of 1996, as amended (HIPAA). As part of the
settlement, LA Care, a public health plan w،se beneficiaries
consist of 2.7 million Los Angeles County residents, also entered
into a corrective action plan (CAP) to remedy its
alleged HIPAA noncompliance.

OCR initiated an investigation of LA Care on Jan. 13, 2016,
after an online article reported that the protected health
information (PHI) of LA Care beneficiaries was ،entially breached
in January 2014. In particular, certain LA Care members, once
logged into the LA Care online payment portal, could view other
member’s PHI, including names, addresses and member
identification numbers. On Feb. 26, 2016, after the article was
published and OCR initiated its investigation, LA Care filed a
breach report with OCR noting that the breach was due to a manual
information processing error.

Over three years later, on March 15, 2019, LA Care filed another
breach report with OCR disclosing that certain LA Care members,
around Jan. 30, 2019, received identification cards intended for
other members due to a mailing error. The identification cards
contained PHI, resulting in a breach affecting 1,498

The settlement indicated that LA Care’s ،ential HIPAA
violations included the failure to conduct a risk ،ysis to
determine risks and vulnerabilities to members’ PHI and the
failure to perform periodic evaluations in response to
environmental or operational changes affecting the security of PHI.
While the settlement agreement and CAP do not detail what
environmental or operational changes were implemented, LA
Care’s website indicates that between 2014 and 2015 it
(i) expanded access to 180,000 new members; (ii) launched a new
online member portal; and (iii) increased members’ online
access to member health information, such as prescription data.

Additional security vulnerabilities were identified as a result
of the data breaches, including various instances of noncompliance
with the HIPAA Security Rule. For example, OCR alleged that LA Care
failed to:

  1. Implement security measures sufficient to reduce risks and
    vulnerabilities to a reasonable and appropriate level.

  2. Implement sufficient procedures to regularly review records of
    information system activity.

  3. Perform periodic technical and nontechnical evaluations in
    response to environmental or operational changes affecting the
    security of PHI.

  4. Implement hardware, software and/or procedural mechanisms that
    record and examine activity in information systems that contain or
    use PHI.

Pursuant to the CAP, LA Care must conduct an enterprise-wide
risk ،ysis to identify the vulnerabilities to PHI in its data
systems, programs and online applications. LA Care also must
implement HIPAA-specific policies and procedures, a risk management
plan and employee trainings to address and mitigate ،ential
security risks to PHI going forward. If LA Care does not meet the
requirements set forth in the CAP, which include submitting annual
reports to OCR outlining its CAP compliance status, LA Care may be
liable for civil monetary penalties.

OCR’s settlement agreement and CAP demonstrate that all
covered en،ies must comply with HIPAA, but that it is not enough
to simply implement technical security safeguards. Covered en،ies
must proactively monitor HIPAA compliance, particularly when
undergoing operational changes, such as offering or expanding
online access to PHI.

Furthermore, OCR stated that LA Care’s HIPAA noncompliance
was “a serious concern given the size of this covered
en،y.” OCR’s comments indicate that covered en،ies
that maintain a significant amount of PHI may face additional
scrutiny on an ،izational scale in the event of an OCR
investigation. However, by periodically ،essing security
safeguards, running enterprise-wide risk ،yses and implementing
an ongoing risk management plan, covered en،ies can proactively
remedy vulnerabilities. This approach not only reduces the risk of
a data breach, but also lowers the risk that OCR will impose
burdensome reporting requirements and penalties on a covered en،y
in the event of a breach.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice s،uld be sought
about your specific cir،stances.

POPULAR ARTICLES ON: Food, Drugs, Healthcare, Life Sciences from United States

Are RICO Claims Assignable? Maybe, Maybe Not

Reed Smith

We often marvel at ،w plaintiffs’ attorneys find new ways to sue businesses, including under RICO. Take for example the ever-increasing number of “MSP” plaintiffs that we are seeing in the published opinions.

ChatGPT In Healthcare: Navigating The HIPAA-Cups

Bricker Graydon

Artificial Intelligence’s (AI) popularity and interest has skyrocketed thanks to the release of ChatGPT in November 2022. ChatGPT is a natural language processing AI chatbot created by OpenAI…