Phishing attacks are one of the most common methods used by cybercriminals to gain unauthorized access to sensitive information. Solara Medical Supplies, a provider of diabetes-related medical products, fell victim to such an attack in 2019 when cybercriminals accessed eight employee email accounts over two months. This unauthorized access exposed the electronic protected health information (ePHI) of more than 114,000 patients, including sensitive details like names, medical records, and insurance information.

Despite the severity of the breach, Solara compounded the issue by failing to notify affected individuals and regulatory agencies promptly, violating HIPAA’s Breach Notification Rule. The delayed notifications and lack of proper security safeguards triggered an investigation by the Office for Civil Rights (OCR), culminating in a $3,000,000 settlement and a detailed corrective action plan.

Resolution Agreement and Corrective Action Plan

Under the resolution agreement, Solara agreed to a rigorous two-year corrective action plan. The plan involves several key actions:

1. Conducting a Comprehensive Risk Analysis
   Solara must perform a thorough and accurate risk analysis to identify all potential vulnerabilities in its information systems. This step ensures that any future risks to patient data are detected early and addressed promptly.
2. Implementing a Risk Management Plan
   The organization is required to create and maintain a written risk management plan that outlines specific measures to mitigate identified risks. Regular updates are essential to adapt to evolving cybersecurity threats.
3. Developing HIPAA-Compliant Policies and Procedures
   Solara must draft, maintain, and revise its HIPAA policies and procedures, ensuring that they align with current regulatory requirements.
4. Workforce Training
   Effective compliance hinges on informed employees. Solara is required to conduct regular HIPAA training for all staff members to prevent future phishing attacks and other cybersecurity breaches.

In cases like these, organizations should consider experts like EPI Compliance and Taino Consultants, as their services mirror the requirements identified in Solara’s Resolution agreement.

OCR’s Recommendations: Preventing Phishing and Securing Business Associate Relationships

In addition to Solara’s corrective action plan, OCR issued general recommendations for healthcare entities and their business associates. These recommendations include:

• Vendor and Business Associate Management
  Solara’s breach highlights the risks posed by insufficient oversight of business associates. Medical suppliers, distributors, and other business partners often handle large volumes of sensitive data. A breach in one organization can ripple through its entire network of partners. OCR emphasizes the need for Business Associate Agreements (BAAs) that clearly define responsibilities in case of a breach.

        EPI Compliance offers automated BAA tracking and management solutions to help healthcare

        organizations ensure that all vendors comply with HIPAA requirements.

• Regular Risk Analysis and Auditing
  OCR recommends integrating routine risk analysis and auditing into business processes. This includes implementing audit controls to monitor and record information system activity. These controls not only detect unauthorized access but also serve as evidence of compliance during audits.
• Multi-Factor Authentication (MFA)
  Phishing attacks often succeed by exploiting weak login procedures. By requiring MFA, organizations can add a layer of security, ensuring that even if credentials are stolen, access remains restricted.
• Encryption of ePHI
  Encrypting sensitive data is a key defense against unauthorized access. Even if data is intercepted, encryption ensures it remains unreadable without the correct decryption key.
• Incident Response and Lessons Learned
  OCR advises healthcare entities to incorporate lessons from incidents into their security management process. Following each incident, a thorough review should be conducted to understand what went wrong and how similar breaches can be avoided.

Risks Business Associates Pose to the Healthcare Ecosystem

Solara’s breach not only jeopardized its operations but also posed potential risks to other organizations that depend on it. Many healthcare providers rely on medical suppliers to deliver critical equipment, including continuous glucose monitors and insulin pumps in Solara’s case. If such suppliers are compromised, it can disrupt supply chains, delay patient care, and expose sensitive data across multiple organizations.

Business associates are often an overlooked vulnerability. They may handle substantial volumes of patient data but lack robust security frameworks. Without proper oversight and enforceable BAAs, a breach at a business associate can cascade, affecting covered entities and their patients. EPI Compliance and Taino Consultants offer solutions to mitigate this risk, from ensuring proper vendor due diligence to maintaining a centralized BAA repository.

OCR’s emphasis on business associate management highlights the interconnected nature of healthcare data. Every entity in the chain must take ownership of its security practices to protect patient privacy and ensure uninterrupted care delivery.