The Office of Civil Rights in the Department of Health and Human Services (HHS/OCR) used to do a fairly good job of protecting patient's sensitive information. They did this by enforcing the HIPAA security rules and penalties for non-compliance included fines, mandatory compliance programs, and CEO liability.

No longer.

HHS/OCR has now been weaponized to enforce anti-DEI initiatives of the current administration. Here is the recent headline from HHS/OCR:

"OCR Investigates a Major Medical School in California for Reportedly Prioritizing Discriminatory Race-Based Criteria over Academic Merit"

Right. What nonsense. Welcome aboard - your pilot is Dangerous and your Co-pilot is Stupid. Have a good flight.

This will not be good.

DATE: March 25, 2025 at 05:35PM
SOURCE: HEALTHCARE INFO SECURITY

Direct article link at end of text block below.

@HHSOCR Launches New Round of @HIPAA @ComplianceAudits https://t.co/H1mTSpm4G3 #HHSOCR

Here are any URLs found in the article text:

https://t.co/H1mTSpm4G3

Articles can be found by scrolling down the page at https://www.healthcareinfosecurity.com/ under the title "Latest"

-------------------------------------------------

Private, vetted email list for mental health professionals: https://www.clinicians-exchange.org

Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.

-------------------------------------------------

#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering

Breach notifications needed to be made faster in 2024. Instead, they were made more slowly.

Some findings from #Bluesight 2025 Breach Barometer report plus additional observations and my frustration with #HHSOCR for not enforcing the notification requirements in #HIPAA and #HITECH.

https://databreaches.net/2025/03/13/breach-notifications-needed-to-be-made-faster-in-2024-instead-they-were-made-more-slowly/

So... apart from the fact that I don't think they should have dropped charges against this doctor, is HHS going to investigate why the hospital gave access to patient data to a former employee/resident who no longer worked there and was never these patients' doctor?

US Justice Department drops case against Texas doctor charged with leaking transgender care data:
https://www.wfaa.com/article/news/local/us-justice-department-drops-case-against-doctor-charged-with-leaking-transgender-care-data/287-3e8a394d-41fb-41bf-bf72-fd012b87851b

HHS OCR settles charges that Inmediata Health Group was exposing patient protected health info online for 3 years due to a webpage error.

Inmediata previously settled a class action lawsuit stemming from the 2016-2019 leak. They also settled a lawsuit by 33 state attorneys general last year. The HHS OCR settlement was for $250k monetary penalty; no corrective action plan was needed since the states' settlement already included a corrective action plan.

Direct link to the resolution agreement:

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/inmediata-health-group-ra-cap/index.html

Press release: https://www.hhs.gov/about/news/2024/12/10/hhs-office-civil-rights-settles-health-care-clearinghouse-inmediata-health-group-hipaa-impermissible-disclosure.html

Inmediata even had trouble with their incident response, as noted on my blog at the time: https://databreaches.net/2019/04/30/in-the-process-of-notifying-patients-of-a-web-exposure-breach-inmediata-experiences-a-mail-exposure-breach/

#HHSOCR announced a $1.19M monetary penalty for Gulf Coast Pain Consultants stemming from a 2019 #databreach. Now we find out that the "third party" that accessed the data was a former contractor.

The covered entity got hit with a fine for failure to:

• conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
• implement procedures to regularly review records of activity in information systems;
• implement procedures to terminate former workforce members’ access to ePHI; and
• implement procedures for establishing and modifying workforce members’ access to information systems.

https://databreaches.net/2024/12/03/hhs-office-for-civil-rights-imposes-a-1-19-million-penalty-against-gulf-coast-pain-consultants-for-hipaa-security-rule-violations/

Still in the dark: A “500 marker” on HHS's public breach tool is updated, but too many still aren’t. Is HHS doing anything about this??

Spoiler alert: They don't seem to be.

https://databreaches.net/2024/11/08/still-in-the-dark-a-500-marker-is-updated-but-too-many-still-arent-is-hhs-doing-anything-about-this/

HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation under HIPAA Security Rule for $250,000 - September 26, 2024

https://www.hhs.gov/about/news/2024/09/26/hhs-office-civil-rights-settles-ransomware-cybersecurity-investigation-under-hipaa-security-rule-250-000.html

This stemmed from a March 2017 #ransomware attack and #databreach affecting Cascade Eye & Skin Centers in WA. #HHSOCR became aware of it in May 2017.

Why did it take 7+ years to resolve this?

And btw, I never knew about this breach and even now, cannot find any major media coverage or disclosure of it at the time. And it never showed up on HHS's public breach tool during all this time. Why didn't it show up if it affected 291,000?

This is HHSOCR's 4th ransomware-related investigation under the #HIPAA Security Rule.

@brett @campuscodi

HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million:

https://www.hhs.gov/about/news/2024/02/06/hhs-office-civil-rights-settles-malicious-insider-cybersecurity-investigation.html

Another #HIPAA #SecurityRule #enforcement action but this was from an #insider wrongdoing #databreach that police notified the center about in 2015. The theft occurred in 2013. Why is #HHSOCR first settling this NOW?

An inexcusable gap from breach to notification, or an excusable one?

https://www.databreaches.net/an-inexcusable-gap-from-breach-to-notification-or-an-excusable-one/

Repeat after me: "Date of discovery" does NOT mean the date you completed any investigation. It is the date on which you first knew or reasonably should have known that you had a breach of unsecured PHI.

It is not a huge breach as breaches go, but Sightpath Medical's breach notification raises a lot of questions about compliance with HIPAA's Breach Notification Rule. I hope #HHSOCR investigates this one.