Norfolk, Va.-based Sentara Hospitals has agreed to pay the Office for Civil Rights $2.175 million to settle alleged HIPAA violations, according to a Nov. 27 news release.
In April 2017, the health system reported that eight patients had been affected in a data breach. Sentara said that it had improperly sent a bill to a patient containing another patient's protected health information. Upon further investigation, the OCR determined that Sentara had mailed 577 patients' information to wrong addresses.
Patient data exposed included names, account numbers and dates of services. Sentara originally reported that only eight patients had been affected because the incident did not involve diagnosis, treatment information or other medical information.
Along with the $2.175 million settlement, Sentara has agreed to undergo a corrective action plan with two years of monitoring.
"HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed," said Roger Severino, OCR director. "When healthcare providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR."