USR Holdings to Pay $337,750 to Settle Multiple HIPAA Violations

by

On January 8, 2025, OCR announced a $337,750 settlement that Florida business associate, USR Holdings, LLC agreed to to resolve alleged multiple HIPAA Security Rule violations.

USR Holdings owns and operates primary mental health and substance abuse treatment centers in Florida, Kentucky, and Maryland. As a HIPAA business associate, its Port St. Lucie base offers management oversight and support services and operates a substance abuse marketing facility in Coconut Creek, Florida. USR Holdings filed a breach report to OCR concerning a hacking incident involving its network server that affected the protected health information (PHI) of 2,903 people.

The USR Holdings breach was considerably small compared to 2019’s average data breach size of 88,003 records. This shows that enforcement action is not based on the data breach size. OCR investigates all HIPAA-regulated entities in case of data breaches involving 500 or more records or when a complaint is received from an individual to check if the violation or complaint was possibly due to HIPAA noncompliance. When OCR discovers serious HIPAA violations, it will likely issue a financial penalty.

Breach reports submitted by USR Holdings on behalf of three HIPAA-covered entities informed OCR about the data breach from December 8, 2018 to January 9, 2019. OCR’s investigation confirmed the unauthorized access to a database that contains ePHI. Although USR Holdings blocked the unauthorized access on December 8, 2018, the investigators determined that the unauthorized access began on August 23, 2018, and the covered entity failed to detect the unauthorized access for about 4 months. At the time the hacker gained access, unauthorized third parties could remove ePHI from the storage system.

OCR stated that the covered entity violated four terms of the HIPAA Regulations:

  • 45 C.F.R. § 308(a)(1)(ii)(A) – The failure to perform a correct and comprehensive risk analysis to determine risks and vulnerabilities to the integrity, confidentiality, and availability of ePHI.
  • 45 C.F.R. § 164.308(a)(1)(ii)(D) – The failure to employ procedures for checking data of information system activity like logs and access details.
  • 45 C.F.R. § 164.308(a)(7)(ii)(A) – The failure to set up and use procedures to develop and keep recoverable exact copies of ePHI
  • 45 C.F.R. § 164.502(a) – Allowed the unauthorized third party to access the ePHI of 2,903 people and the removal of ePHI.

Aside from the financial penalty, USR Holdings adopted a corrective action plan. OCR will monitor the implementation to check USR Holdings’ compliance with the HIPAA Guidelines for 2 years. The CAP mandates a complete and correct risk analysis, a risk management plan, the creation of a process for assessing environmental or operational shifts that impact the protection of ePHI, the creation of HIPAA guidelines and procedures to make certain it is fully compliant with the HIPAA Guidelines, and the workforce will be trained with regards to those policies and procedures.

OCR Director Melanie Fontes Rainer stated that healthcare organizations must ensure the supervision of the person in-charge of the information systems. Backup systems must be available to produce exact duplicates of the ePHI they store, in case health data is stolen for ransom or lost. Efficient cybersecurity means being capable of re-establishing access to ePHI after a cybersecurity attack to avoid disruption in the provision of patient care.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone