WASHINGTON, D.C. — The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced a settlement with Deer Oaks – The Behavioral Health Solution, a Texas-based behavioral health provider, over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The agreement underscores ongoing federal efforts to strengthen protections for sensitive patient information amid rising cyber threats.
The settlement, which includes a $225,000 payment and a corrective action plan, resolves an investigation into Deer Oaks’ handling of electronic protected health information (ePHI). Deer Oaks serves residents of long-term care and assisted living facilities, providing psychological and psychiatric services.
OCR’s investigation began in May 2023 after a complaint alleged that Deer Oaks improperly exposed patient information online. The investigation confirmed that discharge summaries containing sensitive data—including names, birth dates, patient IDs, and diagnoses—were publicly accessible due to a coding error in a discontinued pilot program for an online patient portal. This information was visible and cached by search engines from at least December 2021 until May 2023, affecting 35 individuals.
The inquiry expanded in July 2024 following a cyberattack in August 2023, when a compromised account led to unauthorized access and potential exfiltration of data. A threat actor demanded payment to prevent publishing stolen ePHI on the dark web. Deer Oaks subsequently notified HHS, over 171,000 affected individuals, and the media.
OCR concluded that Deer Oaks failed to conduct a thorough risk analysis to identify vulnerabilities to its ePHI systems, a critical requirement under HIPAA’s Security Rule.
“Identifying potential risks and vulnerabilities to ePHI is a key step in preventing or mitigating breaches of protected health information,” said OCR Director Paula M. Stannard, emphasizing the importance of robust security assessments.
Under the resolution, Deer Oaks has agreed to a two-year corrective action plan overseen by OCR. The plan mandates annual risk analyses, implementation of a risk management strategy, revised policies and procedures compliant with HIPAA, and comprehensive training for staff with access to patient data.
OCR also offered broader recommendations to all covered entities and business associates, encouraging organizations to improve data security practices by routinely updating risk analyses, implementing strict access controls, encrypting data, and providing ongoing, role-specific HIPAA training.
This settlement highlights the growing need for healthcare organizations to proactively safeguard patient information and adhere to evolving cybersecurity standards. The resolution agreement and corrective action plan are publicly available on the HHS website.
For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and MSN.