On January 14, 2025, the U.S. Department of Health and Human Services (“HHS”) entered into a settlement agreement relating to alleged HIPAA regulation violations with Solara Medical Supplies LLC, a direct-to-consumer distributer of continuous glucose monitors, insulin pumps, and other supplies to patients with diabetes. Solara is a Covered Entity under HIPAA. The settlement agreement includes a $3 million civil penalty, but the agreement specifically states that it is not an admission by Solara.
Background
This matter began in 2019, when an unauthorized third party gained access to eight Solara employee email accounts as a result of a targeted phishing attack from April to June 2019. The compromised email accounts contained electronic protected health information. It was determined that 114,007 individuals were potentially affected by this incident.
Solara notified HHS of the incident on November 13, 2019. Solara notified the affected individuals. Unfortunately, on January 17, 2020, Solara reported another breach to HHS that resulted when notification letters relating to the phishing incident were sent to wrong mailing addresses. As a result, protected health information consisting of demographic information of 1,531 individuals was impermissibly disclosed.
HHS conducted investigations and claimed that Solara violated HIPAA rules by:
- Impermissible disclosure of protected health information
- Not conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information
- Not implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
- Not providing timely notification to individuals
- Not providing timely notification to HHS
- Not providing timely notification to media
Settlement Agreement
In order to settlement the matter, HHS and Solara entered into an agreement, pursuant to which Solara agreed to pay $3 million. In addition, Solara agreed to:
Conduct a proper risk analysis. The agreement includes detailed requirements:
Solara shall conduct and complete an accurate, thorough, enterprise-wide analysis of risks and vulnerabilities that incorporates all risks to Solara’s ePHI related to electronic equipment, data systems, programs, and applications, including any that may receive or access ePHI from systems, programs, and applications controlled, administered, owned, or shared by Solara’s affiliates. As part of this process, Solara shall develop a complete inventory of all electronic equipment, data systems, media, off-site data storage facilities, and applications that contain or store ePHI, which will then be incorporated in its Risk Analysis.
Develop and implement an appropriate risk management plan. The plan must address the risks identified in the risk analysis. HHS also required, and Solara agreed to include, the “ process and timeline for Solara’s implementation, evaluation, and revision of its risk remediation activities.”
Policies and procedures. Solara agreed to “develop, maintain, and revise its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information.” Solara must distribute those policies and procedures to all members of its “workforce” (employees and contractors) that have access to protected health information. Solara must also conduct training for those workforce members.
Our Take
HHS continues to emphasize the importance of the risk analysis and how compliance with HIPAA regulations depends on that analysis and the steps taken to address those risks. From a practical perspective, companies that conduct cyber risk assessments should simultaneously budget time, money and resources to address and mitigate risks raised from the assessment so that these solutions flow organically from the assessment without unnecessary impediments. Companies should also document the actions taken to address the issues raised in the risk assessment.