Behavioral health provider settles for $225K with HHS over HIPAA violations

Deer Oaks agreed to pay $225,000 and adopt corrective actions following multiple security failures involving patient health data.

What happened

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Deer Oaks – The Behavioral Health Solution over potential violations of the HIPAA Privacy and Security Rules. The behavioral health provider disclosed electronic protected health information (ePHI) in two separate incidents: one involving discharge summaries that were publicly accessible online and another involving a ransomware-style breach in 2023.

OCR’s investigation began in May 2023 after receiving a complaint that Deer Oaks had exposed ePHI online, including names, birthdates, diagnoses, and facility information. Deer Oaks attributed the exposure to a coding error in a now-discontinued pilot portal. The information remained publicly accessible and cached by search engines for over a year, impacting 35 individuals.

Going deeper

OCR later expanded the investigation after Deer Oaks suffered a cyberattack in August 2023. A threat actor compromised an account, accessed the provider’s network, and attempted to extort payment to avoid releasing stolen data on the dark web. Deer Oaks reported the breach to HHS, notified 171,871 affected individuals, and issued a media statement.

Following both incidents, OCR determined that Deer Oaks had failed to conduct a required risk analysis under the HIPAA Security Rule. Specifically, the organization had not sufficiently assessed vulnerabilities to the confidentiality, integrity, and availability of its ePHI. The risk analysis is a foundational requirement under HIPAA, intended to prevent breaches by identifying and mitigating security gaps.

What was said

OCR Director Paula M. Stannard stated the necessity of proactive risk assessments, stating that an accurate and thorough analysis can reduce exposure to malicious threats and accidental errors. She noted that many covered entities fail to update their risk analyses when adopting new technologies or expanding operations, increasing the likelihood of HIPAA violations.

Deer Oaks has agreed to implement a corrective action plan that includes annual risk analysis updates, a risk management plan, revised HIPAA policies, and mandatory training for all employees with access to PHI. OCR will monitor the provider’s compliance for two years.

The big picture

The Deer Oaks case shows how technical misconfigurations and limited oversight can expose healthcare organizations to data breaches. Although the initial issue was tied to a setup error, the follow-up incident points to broader gaps in security planning and monitoring. Addressing these risks requires consistent risk assessments, clear documentation, and internal controls that support HIPAA compliance and reduce the likelihood of repeat incidents.

FAQs

What is a HIPAA risk analysis, and why is it important?

A HIPAA risk analysis is a formal assessment used to identify and evaluate potential threats to the security of electronic protected health information (ePHI). It’s a foundational requirement for HIPAA compliance and guides how an organization secures sensitive health data.

Are public data exposures treated differently from malicious breaches under HIPAA?

No. Whether data is exposed accidentally (as in a coding error) or through a cyberattack, both are considered potential HIPAA violations if proper safeguards and risk analysis were not in place.

What does a corrective action plan typically include?

Corrective action plans often require updated risk assessments, employee training, revised policies, and ongoing oversight from OCR to ensure continued compliance with HIPAA rules.

Can cached data from search engines be considered a HIPAA breach?

Yes. If ePHI becomes publicly accessible and is indexed or cached by search engines, it is considered a breach under HIPAA even if the original error was unintentional.

How often should healthcare providers update their HIPAA risk analysis?

OCR recommends that providers conduct a risk analysis periodically and whenever significant operational or technological changes occur that could affect ePHI security.