The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a $3,000,000 settlement with Solara Medical Supplies, LLC (Solara), a provider and distributor of diabetes care products, following potential violations of the HIPAA Security Rule and Breach Notification Rule. This settlement resolves an investigation into a phishing attack that compromised the electronic protected health information (ePHI) of over 114,000 individuals.

OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules, which mandate that covered entities and their business associates protect the privacy and security of protected health information (PHI). The HIPAA Security Rule sets national standards to safeguard the confidentiality, integrity, and security of ePHI through administrative, physical, and technical measures. The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media, of any breach of unsecured PHI.

Details of the Phishing Incident and Investigation
In November 2019, Solara reported to OCR that a phishing attack allowed an unauthorized third party to access eight employee email accounts between April and June 2019, exposing the ePHI of 114,007 individuals. Solara later reported a second breach in January 2020, in which 1,531 breach notification letters were sent to incorrect addresses.

OCR’s investigation revealed that Solara failed to:

  • Conduct a compliant risk analysis to identify and address vulnerabilities in its systems.
  • Implement adequate security measures to mitigate risks to ePHI.
  • Provide timely breach notifications to individuals, HHS, and the media as required by HIPAA.

Settlement Terms and Corrective Action Plan
Under the settlement agreement, Solara will:

  1. Pay $3,000,000 to OCR.
  2. Implement a Corrective Action Plan (CAP), which OCR will monitor for two years.

The CAP requires Solara to:

  • Conduct a comprehensive risk analysis to identify vulnerabilities to ePHI.
  • Develop and enforce a risk management plan to address identified risks.
  • Create, maintain, and update HIPAA-compliant policies and procedures as needed.
  • Train its workforce on HIPAA policies and procedures to ensure compliance.

The resolution agreement and full corrective action plan are available at: Solara Resolution Agreement.

Recommendations for Preventing Cybersecurity Threats
To mitigate and prevent cyber threats, OCR advises HIPAA-covered entities and business associates to:

  • Regularly review vendor and contractor agreements to ensure compliance with breach notification obligations.
  • Integrate risk analysis and management into routine business processes.
  • Implement audit controls to monitor information system activity.
  • Use multi-factor authentication to limit access to ePHI.
  • Encrypt ePHI to prevent unauthorized access.
  • Incorporate lessons from past incidents into the organization’s overall security strategy.
  • Provide ongoing, role-specific training to workforce members about protecting privacy and security.

This settlement highlights the critical need for healthcare organizations to prioritize cybersecurity, conduct thorough risk assessments, and implement robust safeguards to protect sensitive health information.