HHS reaches HIPAA settlement with Solara Medical Supplies

The HHS Office for Civil Rights reached a $3 million settlement with Solara Medical Supplies, a supplier of insulin pumps, continuous glucose monitors and other supplies for diabetes patients. The settlement resolved potential HIPAA violations stemming from a 2019 phishing attack against Solara.

Solara suffered a phishing attack between April and June 2019, when an unauthorized party gained access to eight employee email accounts. The resulting breach affected more than 114,000 individuals and involved names, addresses, Social Security numbers, bank account numbers, patient account login information, diagnoses and other personal information.

In January 2020, Solara filed a second breach report after it sent 1,531 breach notification letters to the wrong mailing addresses.

Office for Civil Rights (OCR) launched an investigation and uncovered several potential HIPAA violations, including failure to conduct a thorough risk assessment and failure to provide timely notification to those affected by the first breach. Solara also allegedly failed to provide timely notification to media outlets, as is required under HIPAA when a breach affects more than 500 residents of a state or jurisdiction.

As a result of the breach, Solara agreed to pay $3 million to HHS and undergo a corrective action plan. The corrective action plan requires Solara to address several HIPAA Security Rule provisions. Solara is required to conduct a complete enterprise-wide risk analysis, which includes an inventory of all electronic equipment, off-site data storage facilities and applications that store protected health information.

Solara must submit its risk analysis methodology to HHS for approval. What's more, the corrective action plan requires Solara to develop an enterprise-wide risk management plan and to distribute its updated policies and procedures across its workforce and provide training.

"Cyberattacks have skyrocketed exponentially in recent years. Effective cybersecurity requires identifying potential risks and vulnerabilities to health information and implementing effective security measures to protect against them," OCR Director Melanie Fontes Rainer said in an accompanying press release.

"Health care entities that fail to address identified cybersecurity issues leave themselves vulnerable to cyberattacks. OCR urges health care entities to prioritize securing their information systems and take all necessary steps to reduce and prevent cyberattacks and safeguard protected health information."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.