Print Article

US Hospitals Fined $2.175M for "Refusal to Properly Report" Data Breach


An American health services provider has agreed to pay a fine of $2.175m after refusing to properly notify Health and Human Services of a data breach.

In April of 2017, a complaint regarding Sentara Hospitals was received by the Department of Health and Human Services (HHS). The complainant said that they had received a bill from Sentara Hospitals containing another patient’s protected health information (PHI).

An investigation launched by the Office for Civil Rights (OCR) determined that Sentara had merged the billing statements for 577 patients with 16,342 different guarantors' mailing labels, resulting in the disclosure of the PHI of 577 individuals.

Information exposed by the breach included patient names, account numbers, and dates of services they had received.

Sentara reported this incident as a breach affecting only eight individuals. The health services provider had incorrectly concluded that unless a disclosure included patient diagnosis, treatment information, or other medical information, no reportable breach of PHI had occurred.

A spokesperson for HHS said: "Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR."

The OCR also determined that Sentara Hospitals provides services involving the receipt, maintenance, and disclosure of PHI for its member-covered entities, but did not enter into a business associate agreement with its business associate Sentara Healthcare until October 17, 2018, well after the breach.

Sentara manages 12 acute-care hospitals with more than 300 sites throughout Virginia and North Carolina. The health services provider agreed to take corrective action and pay $2.175m to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules.

Roger Severino, OCR director, said: "HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.

"When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR."

In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring. As part of the plan, Sentara will have to develop, maintain, and revise, as necessary, their written policies and procedures to comply with federal standards.

To read original article please click here


The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email