By: Christopher Parrella, Esq., CPC, CHC, CPCO
Parrella Health Law, Boston, Ma.
A Health Care Provider Defense and Compliance Firm

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced a $3 million settlement with Solara Medical Supplies, LLC following a phishing attack that exposed sensitive electronic protected health information (ePHI) of over 114,000 individuals. The breach highlights the critical importance of robust cybersecurity measures in protecting patient data and adhering to HIPAA compliance.

What Happened at Solara?

In April 2019, Solara Medical Supplies, a distributor of diabetes management products, fell victim to a phishing attack that compromised eight employees’ email accounts over two months. Unauthorized access to these accounts resulted in a breach of 114,007 individuals’ ePHI. Compounding the issue, Solara sent over 1,500 breach notification letters to incorrect mailing addresses, a second failure that led to additional scrutiny.

An OCR investigation uncovered several HIPAA violations, including:

1. Failure to Conduct a Comprehensive Risk Analysis

   Solara did not adequately identify risks and vulnerabilities to ePHI within its systems.

2. Inadequate Security Measures

   The company failed to implement sufficient measures to address known vulnerabilities.

3. Delayed Breach Notifications

   Solara did not notify individuals, HHS, or the media in a timely manner as required by the HIPAA Breach Notification Rule.

The Corrective Action Plan

As part of the settlement, Solara agreed to a two-year corrective action plan, which includes:

• Conducting a thorough risk analysis of its systems.
• Implementing a written risk management plan to address identified vulnerabilities.
• Revising HIPAA-related policies and procedures.
• Training employees on HIPAA compliance.

The settlement also requires OCR oversight to ensure these measures are effectively implemented.

What This Means for Healthcare Providers

The Solara case serves as a stark reminder of the vulnerabilities facing healthcare organizations and the severe consequences of inadequate cybersecurity measures. It underscores the need for covered entities and business associates to proactively address HIPAA compliance and safeguard ePHI.

Best Practices to Mitigate Cyber Threats

Healthcare organizations can protect themselves by adopting the following measures:

1. Conduct Regular Risk Analyses

   Routinely identify and address risks and vulnerabilities in your systems.

2. Implement Multi-Factor Authentication (MFA)

   Secure access to ePHI with MFA to ensure only authorized users can access sensitive data.

3. Encrypt ePHI

   Use encryption to guard against unauthorized access during data breaches.

4. Audit System Activity

   Monitor and examine information system activity regularly to detect anomalies.

5. Strengthen Vendor Relationships

   Ensure business associate agreements are in place and include breach notification requirements.

6. Train Your Workforce

   Regularly educate employees on HIPAA compliance and their role in preventing data breaches.

The Solara settlement highlights the growing urgency for healthcare organizations to prioritize cybersecurity. At Parrella Health Law, we provide expert legal guidance to ensure your organization remains compliant with HIPAA regulations while safeguarding sensitive patient information. Contact Chris at 857.328.0382 or email cparrella@parrellahealthlaw.com to learn how we can help you navigate the complexities of HIPAA compliance and fortify your cybersecurity defenses.