Potential HIPAA Right of Access Violation Resolved for $80,000
The UnitedHealthcare Insurance Company (UHIC) agreed to pay $80,000 to resolve an alleged inability to give prompt access to Protected Health Information (PHI). The voluntary settlement agreement additionally calls for the company to implement a Corrective Action Plan for at least one year.
In 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) started an enforcement initiative following a growing number of complaints related to violations of 45 CFR §164.524, which is giving PHI access to individuals. Thus far, OCR has looked into hundreds of complaints and arrived at settlement deals in forty-five lawsuits.
The most recent settlement case pertains to a complaint filed against UHIC by a client who had submitted a request for a copy of their PHI last January 2021. UHIC did not respond to the request within the required time frame, so the client submitted a complaint to OCR. The agency started an investigation last April 2021. The customer only received the requested PHI in July, which is six months after the initial request.
Based on the resolution settlement, when UHIC knew about the complaint submitted to OCR, it carried out its own internal investigation and confirmed that the failure in compliance was due to an oversight by an employee. In spite of the company’s help throughout the investigation, OCR determined UHIC was unable to give prompt access to PHI, which violates 45 CFR §164.524.
Besides paying $80,000 for the purported violation, UHIC will adopt a Corrective Action Plan for at least one year. The Plan requires UHIC to modify where needed its guidelines and procedures associated with client access requests, give modified guidelines to its employees, and give material change instruction to members of the employees impacted by the change.
The Corrective Action Plan additionally calls for UHIC to send OCR quarterly reports that list the dates it receives access requests, the dates they are replied to, and the fees billed to every person. The reports will likewise have to give OCR information associated with the requested format of access, the format given, and the number of pages provided, if requested on paper.
In the PR release that goes with the statement of the settlement, OCR Director Melanie Fontes Rainer stated that prompt access to health data is one of the fundamentals of HIPAA. OCR will always make sure that covered entities with a track record of late or denial of access requests are going to face enforcement actions. Health insurance companies aren’t exempt from the right of access and should make sure that they are doing what is necessary to teach their employees to make certain that they are working hard to assist in giving members access to medical data.
Lawsuit Declares Unum Group To Blame for MOVEit Data Breach
A Florida state resident is filing a lawsuit against Unum Group, the employee benefits company, in association with the MOVEit Transfer data breach. The lawsuit alleges that Unum Group was unable to protect the personal data saved inside its system. Unum Group was one of many affected companies by the bulk exploitation of a zero-day vulnerability found in the MOVEit Transfer program. Progress Software sent a security advisory regarding the vulnerability last May 31, 2023, and launched a patch on the same day; but the Clop group already exploited the vulnerability during the attacks, causing the theft of sensitive data.
Unum Group reported on August 3, 2023, that it was impacted by the attack and there was unauthorized access to the PHI of past and present clients of its subsidiary insurance carriers, such as names, dates of birth, addresses, and medical insurance claim details. The breach report was submitted to the HHS’ Office for Civil Rights as influencing 531,732 persons.
The lawsuit states that Unum Group was required to protect clients’ data privacy and retain confidentiality as per the Federal Trade Commission Act and HIPAA, yet was unable to do so. A company cannot realistically be anticipated to stop a vulnerability from being exploited that is not known during the time of exploitation when the software vendor hasn’t confirmed the presence of a vulnerability.
The lawsuit Williams v. Unum Group claims Unum was responsible for the data privacy violation and it did not properly encrypt information which is sent through the file transfer system, didn’t redact clients’ private data, and was unable in its legal duty to review, monitor, and confirm the IT vendors security practices. The lawsuit additionally takes issue with the long time period it took for Unum Group to send notifications. Two months later the suspicious activity was discovered – and for the insufficiency of information in the notifications concerning the root cause of the breach. The insufficiency of information made it hard for victims of the breach to offset harm.
The lawsuit claims the plaintiff and class members today are dealing with a present and ongoing threat of identity theft and fraud and need to pay out-of-pocket expenditures to avoid, identify, and recover from data misuse, which is currently in the possession of attackers. The lawsuit wants a jury trial, class action certification, an award of actual damages, statutory damages, compensatory damages, nominal damages, punitive damages, and attorney’s service fees.