OCR Settles HIPAA Phishing Violation Case for $3 Million

An OCR investigation of a phishing attack and subsequent mailing error by Solara Medical Supplies uncovered multiple violations of the HIPAA Security Rule and Breach Notification Rule. Solara Medical Supplies is a direct-to-patient distributor of continuous glucose monitors, insulin pumps, and other supplies to patients with diabetes and as a HIPAA-covered entity, Solara is required to comply with the HIPAA Rules.

OCR received a notification from Solara in November 2019 about a data breach involving the electronic protected health information (ePHI) of 114,007 individuals. A threat actor had sent phishing emails to Solara’s employees and 8 responded and disclosed their credentials, allowing their email accounts to be accessed between April 2019 and June 2019. Then, in January 2020, OCR received another breach report from Solara. While sending breach notification letters about the phishing data breach, 1,531 notification letters were sent to incorrect addresses, impermissibly disclosing patients’ demographic information.

OCR investigated both data breaches and identified HIPAA Security Rule failures. Solara had not conducted a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI and had not implemented sufficient security measures to reduce risks and vulnerabilities to an acceptable level. The notifications about the data breaches were also unnecessarily delayed and were issued outside the 60 days permitted under the HIPAA Breach Notification Rule. Solara discovered the phishing attack and data breach on June 28, 2019, but did not report the data breach to OCR until November 13, 2019, 5 months after the breach was discovered. Individual notification letters were similarly delayed, and a timely notification was not issued to prominent media outlets.

There were also two impermissible disclosures of ePHI, the first due to the phishing attack and the second due to the mis-mailing incident, which combined involved an impermissible disclosure of the ePHI of 115,538 individuals. The alleged HIPAA violations were settled informally with Solara agreeing to pay a $3 million financial penalty and adopt a corrective action plan to address the noncompliance. The CAP includes the requirement to conduct a comprehensive and accurate risk analysis, develop a risk management plan, develop policies and procedures to ensure compliance with the HIPAA Rules and provide training to the workforce on the policies and procedures. OCR will monitor Solara for two years to ensure compliance with the CAP.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/