The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with Deer Oaks – The Behavioral Health Solution over potential violations of the HIPAA Privacy and Security Rules. Deer Oaks, which offers psychological and psychiatric services to residents in long-term care and assisted living facilities, was found to have failed key compliance obligations under HIPAA.
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules to ensure that covered entities—such as health plans, most healthcare providers, and their business associates—safeguard protected health information (PHI). The Privacy Rule establishes standards for the use and disclosure of PHI and guarantees individuals the right to access their health records. The Security Rule, meanwhile, outlines administrative, physical, and technical safeguards for protecting electronic PHI (ePHI). One of its key provisions is the requirement for a thorough risk analysis to assess vulnerabilities to the confidentiality, integrity, and availability of ePHI.
“Identifying risks and vulnerabilities to ePHI is critical for preventing or minimizing data breaches,” said OCR Director Paula M. Stannard. “We often find that entities under investigation lack a current or sufficient HIPAA risk analysis, particularly after adopting new technologies or expanding operations.”
Summary of Investigation
OCR initiated an investigation in May 2023 following a complaint alleging that Deer Oaks had publicly disclosed ePHI. The complaint was substantiated when OCR confirmed that discharge summaries containing sensitive patient information—such as names, birth dates, IDs, facility names, and diagnoses—were accessible online. This exposure, caused by a coding error in a discontinued pilot online patient portal, allowed data to be cached by search engines from December 2021 through May 19, 2023. Thirty-five individuals were directly affected by this breach.
In July 2024, OCR expanded its investigation after a second incident: a cyberattack on August 29, 2023, involving a compromised account. A threat actor claimed to have stolen patient data and demanded ransom to prevent it from being posted on the dark web. Deer Oaks notified HHS, 171,871 impacted individuals, and the media about the breach.
OCR concluded that Deer Oaks had failed to perform an accurate and thorough risk analysis in both cases, violating the HIPAA Security Rule.
Resolution Agreement and Corrective Action Plan
To settle the matter, Deer Oaks agreed to pay $225,000 and implement a two-year corrective action plan under OCR supervision. The provider has committed to:
-
Conducting and updating an annual HIPAA risk analysis;
-
Developing and implementing a comprehensive risk management plan;
-
Maintaining and revising HIPAA policies and procedures as needed;
-
Providing annual HIPAA training to all employees with access to PHI.
OCR’s Recommendations for HIPAA-Covered Entities
OCR urges all HIPAA-covered entities and business associates to take the following cybersecurity measures:
-
Identify where ePHI is stored and how it moves through your systems;
-
Conduct periodic risk analyses and update risk management plans accordingly;
-
Implement audit controls to monitor system activity;
-
Regularly review and assess system logs and activities;
-
Use authentication tools to ensure only authorized personnel access ePHI;
-
Encrypt ePHI both at rest and in transit when appropriate;
-
Integrate lessons learned from security incidents into your ongoing security strategy;
-
Deliver organization-specific HIPAA training tailored to employee roles and responsibilities.