HIPAA Blog

[ Tuesday, September 12, 2023 ]

LA Care Breach and Incident net $1.3M fine: Yesterday, HHS announced a settlement with LA Care, the public health plan run by Los Angeles County, relating to two prior incidents: A 2019 data breach involving 1500 patients whose membership cards were sent to the wrong member, and a 2013 incident involving about 500 people whose information was loaded onto a different patient's page on LA Care's online patient portal.

Hmm. Nothingburger breaches, both of them. The only data exposed was demographic, the provider is a comprehensive service provider so the fact the individual received care from LA Care isn't particularly sensitive (contra: it shows that the individual is likely poor; but the recipient is also poor, so still a minor problem), the lots exposed were small, and the actual problem (misdirected mail or computer data sorting) is pretty common. So why the big fine?

It's a tale as old as time, or at least as old as HIPAA investigations: it's not the incident that brings the heat, it's what the investigation exposes: LA Care didn't have sufficient data security, certainly not for an organization of its size. Lack of risk analyses and lack of safeguards were the underlying cause of the 2 minor breaches, and those problems are big enough to warrant an eye-opening fine.

Jeff [9:16 AM]

Comments: Post a Comment

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template