In today’s digital age, the healthcare industry is more reliant on technology than ever
before. This reliance, however, comes with significant risks, especially concerning the
security of sensitive patient data. A recent resolution agreement between the
Department of Health and Human Services (HHS) and Deer Oaks—The Behavioral
Health Solution serves as a stark reminder of the importance of robust cybersecurity
measures and HIPAA compliance.
What Happened?
Deer Oaks, an affiliated covered entity as defined by HIPAA regulations, faced two
critical incidents that led to the resolution agreement with HHS.
First, in December 2021, a complaint was filed alleging that Deer Oaks impermissibly
disclosed protected health information (PHI). This included sensitive details such as
patient names, dates of birth, patient identification numbers, facilities, and diagnoses,
which were made publicly accessible online birth, patient identification numbers,
facilities, and diagnoses, by making patient discharge forms publicly accessible online.”.
While the PHI was eventually secured in May 2023, the damage was already done.
The second incident occurred in August 2023, when Deer Oaks experienced a network
breach. A threat actor exploited a vulnerability and claimed to have exfiltrated data,
demanding payment to prevent the PHI from being posted on the dark web.
HHS’s investigation revealed that Deer Oaks had disclosed PHI in a manner not
permitted by the Privacy Rule and had failed to conduct an accurate and thorough
assessment of potential risks and vulnerabilities to the confidentiality, integrity, and
availability of electronic protected health information (ePHI).
The Resolution
To resolve these violations, Deer Oaks entered into a resolution agreement with HHS,
which includes a corrective action plan. While the specific monetary amount of the
resolution was not disclosed in the agreement, Deer Oaks is obligated to pay HHS a
resolution amount.
As part of the agreement, Deer Oaks is required to comply with a Corrective Action Plan
(CAP) , which involves several key steps:
• Risk Analysis: Conducting an accurate and thorough analysis of security risks
and vulnerabilities that incorporate all electronic equipment, data systems,
programs, and applications that contain, store, transmit, or receive ePHI.
• Risk Management: Developing an enterprise-wide risk management plan to
address and mitigate any security risks and vulnerabilities identified in the risk
analysis.
• Policies and Procedures: Developing, maintaining, and revising written policies
and procedures to comply with federal standards for privacy and security of
individually identifiable health information to address any threats and
vulnerabilities to the ePHI identified in the risk analysis and risk management
plan required by Section V.A and Section V.B”.
• Training: Providing training to all workforce members who have access to ePHI
on the privacy and security of ePHI, including specific training related to the new
policies and procedures.
• Reportable Events: Report to HHS any workforce member who likely failed to
comply with its policies and procedures described in Section V.C.
Deer Oaks must also submit an implementation report and annual reports to HHS,
detailing their compliance efforts.
Why This Matters
This resolution agreement highlights several critical points for anyone involved in
handling sensitive data:
• HIPAA Compliance is Not Optional: The financial and reputational
consequences of HIPAA violations can be severe.
• Risk Assessments are Essential: Regularly assessing and addressing
vulnerabilities is crucial for preventing breaches.
• Employee Training is Key: A well-trained workforce is the first line of defense
against cyber threats.
• Incident Response Plans are a Must: Having a plan in place to respond to
security incidents can minimize damage and ensure a swift recovery.