Data Breaches & Enforcement

Affected individuals were advised to sign up for the free credit monitoring and identity theft protection offered by Episource. The post also recommends checking bank, credit card, and health insurance statements, using personal data removal services, installing strong antivirus software, enabling two-factor authentication, and watching for fake mail or phishing that uses stolen contact details.

The SBA warning in the post says the agency does not initiate contact on 7a or disaster loans or grants, so proactive contact claiming to be from the SBA should raise suspicion. It also warns against upfront fees for loan approval, excessive broker fees, emails asking for personal information, and webpages that copy the SBA logo but do not come from a reliable government source.

The post identifies several schemes, including fake CDC emails, phishing messages tied to stimulus checks, counterfeit COVID-19 treatments or protective equipment, and Zoom-bombing. It also notes an OCR alert about someone posing as an OCR investigator to obtain protected health information. The recommended response is to avoid unknown links or attachments, verify web addresses, and report suspicious activity through the FBI Internet Crime Complaint Center.

Covered entities and business associates should ask for verifiable information and an email address ending in hhs.gov. The OCR recommendation cited in the post says to request a confirming email from the investigator's HHS email address. Suspected impersonation of federal law enforcement should be reported to the FBI.

The post uses the November 2011 enforcement actions as a warning that any provider can become the next case if compliance is treated casually. It recommends conducting gap analyses across billing, operations, medical records, HIPAA Privacy and Security, OSHA, and human resources. It also emphasizes updating policies, training personnel, documenting actions, and asking for help when uncertain.

The post says eClinical, a Massachusetts company, agreed to pay $155 million to settle claims that it falsely obtained Electronic Health Record certification. The issues cited included incomplete drug code and interaction checks, inaccurate audit logs, and failure to track lab results. The post warns that providers who collected incentive money based on that certification may need legal advice.

The post cites an OIG report warning that copy-pasting and over-documentation can lead to fraud when clinicians do not review or correct cloned entries. The author notes that templates and prompts can improve efficiency, but records must still show the uniqueness of each patient and encounter. Providers remain responsible for documentation whether they reviewed it carefully or not.

The post argues that breach reporting laws make it easy to identify a potential class after a privacy incident becomes public. It raises concern that investors may fund attorneys to file class actions because healthcare organizations often settle rather than spend resources on litigation. The author distinguishes careless breaches from sophisticated attacks and urges regulations focused on protecting data and respecting patient privacy.

The post points to more than $8 million in settlements tied to missing business associate agreements. It explains that the government may find a business associate relationship even without a contract, and subcontractors can be treated as business associates. Covered entities must obtain assurances that business associates will safeguard protected health information and must preserve those obligations through subcontractor relationships.

The post says The Radiology Group and its CEO settled a civil fraud lawsuit for $3.1 million after allegations involving diagnostic radiology services. The company allegedly outsourced initial interpretations to contractors in India who were not authorized to practice medicine in the United States, while U.S.-based radiologists often rubber-stamped reports. The case also involved misrepresented radiologist identities and claims billed to federal healthcare programs.

The post says HIPAA allows protected health information to be disclosed for treatment under 45 CFR 164.506(c), including coordination or management of a patient's care. A separate written authorization is not required when another legitimate provider needs records for treatment. The organization should still verify the request, document the disclosure, train staff, use safeguards, and conduct risk analysis.

The post says policies and procedures are required under 45 CFR 164.316 even if that standard is not listed in Appendix A of the Security Standards Matrix. OCR investigations and corrective action plans often identify outdated or missing policies as a deficiency. Policies should address HIPAA Security requirements, reflect the organization, and be updated as needed, with at least an annual review recommended.

The post says Humana challenged CMS's decision to downgrade the star ratings of its Medicare Advantage plans, arguing the scoring changes were unfair and retroactive. CMS maintained that the plans were rated under defined rules using performance and patient feedback. The federal court sided with CMS, leaving Humana facing the loss of hundreds of millions in bonus payments in 2026.

The post explains that lower star ratings can reduce bonus payments to an insurer, which may then look for savings elsewhere. Providers could face lower reimbursement rates, tighter utilization management, more prior authorizations, and added pressure to meet quality targets. Patients could see reductions in extra benefits, higher out-of-pocket costs, or network disruption if providers leave the plan.

The post says the FTC passed the Red Flag and Address Discrepancy Rules to require financial institutions and creditors to address identity theft risks and develop mitigation plans. Healthcare providers were identified as creditors subject to the rule, which took effect November 1, 2008. Even with lawsuits challenging healthcare application, the post recommends developing policies, training employees, and implementing the rule.

The post says policies and procedures increase efficiency, standardize processes, reduce mistakes, minimize liability, protect against breaches, and simplify training. It points to a $1.7 million Alaska Department of Health and Social Services settlement where the corrective action plan required policies and procedures for HIPAA Security Rule compliance. The author recommends simple language, checklist-style steps, workplace testing, staff involvement, and at least annual review.

The post says two laboratory marketers and five physicians agreed to pay over $1.5 million to settle allegations involving laboratory kickback schemes. The alleged payments were disguised as consulting or MSO fees to induce laboratory referrals, leading to false claims to Medicare. The post frames the case as a reminder that kickbacks can distort medical decisions, harm taxpayer-funded programs, and undermine trust.

The post explains that a kickback does not have to be paid in cash, and not collecting copayments may be interpreted as a kickback. It cites the Health Alliance of Greater Cincinnati and Christ Hospital settlement for $108 million over an alleged pay-for-play cardiologist scheduling scheme. The author recommends outside review, a customized compliance plan, and actual implementation rather than paper binders.

The post explains that Medicare Advantage plans receive fixed monthly payments that increase when patients appear sicker through risk adjustment. Upcoding happens when diagnoses make patients look sicker than they are or lack active clinical support. Providers should apply MEAT criteria, meaning they should only code conditions they monitor, evaluate, assess or address, and treat, and should report pressure to upcode through compliance channels.

The post says OCR announced a civil enforcement program focused on confidentiality of substance use disorder patient records and alignment with HIPAA privacy standards. Healthcare organizations should identify where sensitive records are stored, limit who can access them, update notices of privacy practices, train staff on sensitive phone calls, and maintain a clear process for reporting and correcting privacy leaks.

The post says CMS is moving from auditing a small sample of Medicare Advantage plans to auditing all eligible contracts every year. It reports that audits will expand from about 60 plans per year to over 550, with a goal of clearing the 2018 through 2024 backlog by early 2026. CMS is also increasing coders, reviewing more records per plan, and using AI to flag unsupported diagnoses.

The post explains that CMS, DOJ, and OIG now view MSOs and vendors as active participants in risk adjustment, claims processing, and Medicare Advantage data work. If an MSO or vendor is tied to unsupported diagnoses, coding errors, overbilling, or poor documentation, it may face clawbacks, penalties, or False Claims Act allegations. Liability can extend beyond the official Medicare Advantage contractor.

The post recommends detailed patient education and documentation for conversations about risks and side effects. Providers should review informed consent processes, use specific consent forms for high-risk medications, and explain what patients should do if side effects occur. It also recommends staying updated on drug information, including FDA warnings such as those for intestinal blockages.

The post says BCBS of Tennessee agreed to pay $1.5 million and implement a corrective action plan after a protected health information breach that put an estimated 1 million consumers at risk. It also lists other six- and seven-figure HIPAA settlements. The lesson is that covered entities and business associates need to understand requirements, perform routine compliance actions, and decide what to handle internally or subcontract.

The post recommends mapping legal requirements into a practical system, training staff, and using checklists to document required actions. It also emphasizes preparing delegated personnel with courses and levels of responsibility. Because subcontractors are a major risk area, the author created a process to verify that subcontractors are reliable, responsible, and completing their own required tasks.

The post cites Verizon's Data Breach Investigations Report to say email continued to be the most common attack vector at 96%, while phishing and pretexting represented 93% of identified social breaches. Email is efficient but can pass through multiple servers and may be copied or stored in plain text. The author recommends avoiding suspicious messages, verifying senders, and using end-to-end encryption for sensitive information.

The post says Kaiser Foundation Health Plan disclosed that online technologies on its websites and mobile apps may have transmitted health data to third-party vendors including Google, Microsoft, and X. The exposed information included names, IP addresses, and application-use details such as health encyclopedia search terms. The breach affected 13.4 million current and former members and reinforced OCR guidance on tracking technologies and ePHI safeguards.