NORFOLK, Va. — Sentara has to pay nearly $2.2 million in a settlement with the federal government. In 2017, officials with the Department of Health and Human Services got a complaint from a person claiming Sentara sent them another person's health information.
Federal officials said Sentara initially reported the breach revealed healthcare information for eight people, but after investigating, they found the breach revealed the information of 577 people.
The information ranged from patient names and account numbers to dates of service. Personal Injury Attorney Ed Booth said exposure varies.
"The whole goal of HIPPA is to maintain patient privacy, your name, that sort of thing. So, there can be a very basic violation even if very little information is revealed. The policy here is let's protect patient health information at all costs” said Booth.
Department of Health and Human Services office civil rights officials said they told Sentara to report the breach, but they refused.
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed,” said Director for the Office for Civil Rights, Roger Severino. “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR,” said Severino.
Brittany Vajda, Sentara's Advisor, Public Relations & Communications released the following statement about the settlement:
“Sentara and the U.S. Department of Health and Human Services Office of Civil Rights (OCR) have reached a settlement resolving a patient privacy issue. In April 2017, a vendor who prints and mails our bills accidentally printed some patients’ billing information on other patients’ statements. Upon discovering the error, we took immediate action to halt bill printing and mailing and later notified the affected patients. Sentara cooperated fully with the OCR and agreed to pay a fine of $2.175M. Since the incident, we have implemented more stringent quality control measures, required our vendor to enhance their quality control processes and hired a new privacy director. We also are in the process of updating employee training and education and assessing our privacy program as a whole. Sentara is committed to the security of our patients’ personal information and working hard to prevent this error from happening again."
Federal officials said in the resolution agreement that it will monitor Sentara for the next two years.