Sentara's settlement with the U.S. Department of Health and Human Services was one of the largest the agency sought to collect in 2019, The Virginian-Pilot reported Wednesday.
The company runs several hospitals in Virginia including Sentara Norfolk General Hospital, Sentara Virginia Beach General Hospital and Sentara Northern Virginia Medical Center.
Federal officials said Sentara mailed the health information of 577 patients — including their names, account numbers and dates of services — to incorrect addresses.
Sentara didn't report the breach and the agency received a complaint in April 2017 regarding a bill sent to the incorrect person, the newspaper said.
Sentara claimed the breach only involved eight patients because the other errors didn't expose diagnoses and treatments, but officials disagreed.
The $2.175 million settlement requires Sentara to undergo monitoring for two years, the company has to review its privacy policies and submit regular compliance reports. As part of the agreement, the company did not admit wrongdoing.
Sentara spokesman Dale Gauding said the company has since added more quality control measures and hired a new privacy director.
The settlement money will not go to the patients whose health information was compromised. Instead, it goes to the federal agency.