Scripps Health, Avalon Healthcare reach settlements after data breaches

/in


One hundred dollar bills with Benjamin Franklin's profile are scattered in a pile.
Two recent healthcare data breach settlements spotlight the impact beaches have on the sector. (“Cash Money (part two)” by jtyerse is licensed under CC BY-NC-ND 2.0.)

States have ramped up enforcement efforts against entities affected by ransomware and other data privacy breaches, particularly those in healthcare, over the last year. At an even greater pace, there’s been a relentless uptick in the number of breach lawsuits filed against providers.

Two recent healthcare data breach settlements spotlight the growing dichotomy and impact on the healthcare sector. 

Oregon and Utah recently handed down a $200,000 fine to Avalon Healthcare Management to resolve compliance issues found in the wake of its 2019 email-related data breach, while Scripps Health reached a $3.5 million settlement with patients affected by its 2021 incident.

Avalon Health pays states $200K, with new security requirements

The attorneys general of Utah and Oregon reached a $200,000 settlement with Avalon Health, which also requires the provider to develop and implement practices that aim to bolster its information security for both patient and employee data.

In April 2020, the skilled nursing, therapy, senior living, and assisted living provider reported an email-related incident affecting 14,500 Avalon employees and patients. A threat actor gained access to an email account 10 months earlier in July 2020, after an employee fell victim to a phishing attack.

The account contained employee and patient names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, including diagnosis, health conditions, and/or medications, and limited financial information.

The delayed notification prompted the states’ joint investigation, with a particular focus on Avalon’s email security practices and compliance with state breach notification laws and the Health Insurance Portability and Accountability Act. Under HIPAA, notices are required without undue delay and within 60 days of discovery. Under Oregon law, the timeline is just 45 days.

The delay, highly common with email-related breaches in healthcare, prompted the fine, as well as the sensitivity of the data it held,…

Source…