Cardiac monitoring service breaches of unsecured ePHI leads to settlement with OCR

CardioNet, Inc. (CardioNet), an ambulatory cardiac monitoring service, has entered into a resolution agreement with the HHS Office of Civil Rights (OCR) to settle allegations of breaches of unsecured electronic protected health information (ePHI) affecting a total of 3,610 individuals on two separate occasions. CardioNet has agreed pay HHS $2,500,00 and comply with a corrective action plan (CAP).The resolution agreement releases CardioNet from any actions HHS may have against CardioNet that arose under the conduct described in the agreement.

OCR’s findings.

CardioNet notified OCR on January 10, 2012, and February 27, 2012, of the breaches. Upon investigation, OCR found that CardioNet’s conduct did not comply with Health Insurance Portability and Accountability Act (HIPAA) privacy, security, and breach notification rules. Specifically, CardioNet failed to:

1. conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of EPHI and plan for and implement security measures sufficient to reduce those risks and vulnerabilities;
2. Implement policies and procedures that govern the receipt and removal of hardware and electronic medial that contain ePHI into and out of its facilities, the encryption of that media, and the movement of the items within its facilities until March 2015; and
3. safeguard against the impermissible disclosure of PHI by its employees, permitting access to the information by an unauthorized individual and take sufficient steps to immediately correct the disclosure.

The CAP.

Under the CAP, CardioNet must provide to HHS for review and approval, a current, comprehensive risk analysis of security risks and vulnerabilities that incorporates it facilities and electronic equipment, data systems, and applications within ninety days of the effective date. HHS will approve or disapprove of the risk analysis and CardioNet will make any needed revisions for HHS approval. Once HHS has approved the risk analysis, CardioNet must review the analysis at least annually. In addition, CardioNet must submit annual reports at the end of the first year and second year of the CAP, which includes an attestation signed by an owner or officer of CardioNet attesting that he or she has reviewed the annual final report, and had inquired about and believes that the information is accurate and truthful.
CardioNet also must provide HHS with an organization-wide risk management plan to address and mitigate any security risks found in the risk analysis. HHS will approve or disapprove of the plan. Upon approval, CardioNet must begin to implement the steps identified to address or mitigate the risks identified as required by the plan. CardioNet also must review and revise, as necessary, its security rule policies and procedures based on the risk analysis and risk management plan, and include device and media controls. In addition, it must provide certification that portable media devices are encrypted. The revised policies and procedures must be forwarded to HHS for approval.
The CAP addresses CardioNet’s obligation to review and revise training program based on the findings of the risk analysis, the risk management plan, and the revised policies and procedures and certifications and its obligation to promptly investigate any information related to a workforce members failure to comply with it policies and procedures and report a description of the event, the actions it has taken, and the actions it plans to take.
The CAP will be effective for a period of two years from April 3, 2017, unless OCR has notified CardioNet that it has breached the CAP, in which case OCR determines and notifies CardioNet when the breach has been cured. If it is determined that the CAP has been breached, HHS may impose a civil money penalty or other remedy.

SOURCE:, Resolution Agreement, April 3, 2017.

Visit our News Library to read more news stories.