$5.5 Million HIPAA Settlement for Florida Provider
Case Involves Insider Breaches Tied to Tax Fraud
Federal regulators have signed a $5.5 million HIPAA settlement with a Florida-based healthcare system for breaches related to unauthorized access to tens of thousands of patients’ information by employees that lasted for more than a year and that subsequently led to criminal charges. It’s the second largest such settlement to date.
In a Feb. 16 statement, the Department of Health and Human Services’ Office for Civil Rights says Memorial Healthcare System, based in Hollywood, Fla., paid the huge financial settlement and agreed to a corrective action plan to address a variety of security control failures related to the insider incidents.
Not-for-profit MHS operates six hospitals, an urgent care center, a nursing home and a variety of ancillary healthcare facilities throughout South Florida. MHS is also affiliated with physician offices through an organized health care arrangement, or OHCA, HHS notes.
The resolution agreement between MHS and OCR notes that on April 12, 2012, MHS submitted a breach report indicating that two employees inappropriately accessed patient information, including names, dates of birth, and Social Security numbers.
The HHS “wall of shame” website listing breaches affecting 500 or more individuals indicates that the MHS breach was reported as affecting nearly 9,500 individuals.
The resolution agreement also notes, however, that on July 11, 2012, MHS submitted another breach report to notify HHS that during its internal investigation, it discovered additional impermissible access by 12 users at affiliated physician offices, potentially affecting another 105,646 individuals.
“Some of these instances led to federal charges relating to selling protected health information and filing fraudulent tax returns,” the resolution agreement notes.
In a statement, OCR says the login credentials of a former employee of an affiliated physician’s office had been used to access the electronic PHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals.
“Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules,” OCR says.
Further, MHS failed to regularly review records of information system activity on applications that maintain ePHI by workforce users and users at affiliated physician practices, despite having identified this risk in several risk analyses conducted by MHS from 2007 to 2012, OCR says.
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergiTek notes: “The size of the monetary settlement paid by Memorial Healthcare System, as well as the exhaustive corrective action plan, is an indication of the seriousness of the harm caused by the failure to put into place reasonable safeguards and practices that could have easily prevented the misuse of the information system.”
MHS did not immediately respond to an Information Security Media Group request for comment.
Corrective Action Plan
Under the settlement with OCR, MHS has agreed a corrective action plan requires it to:
- Complete a risk analysis and implement a risk management plan to
mitigate risks and vulnerabilities identified;
- Revise its policies and procedures regarding information system activity to require the regular review of audit logs, access reports and security incident tracking;
- Revise policies and procedures regarding user access establishment, modification and termination
including protocols for access to MHS’s e-PHI by affiliated physicians, their practices and their employees;
- Distribute the OCR-approved revised policies and procedures to all MHS workforce
members, including those of covered entities that are owned, controlled or managed by MHS, as well as all business associates, vendors and affiliated physician practices.
Holtzman notes that OCR has been emphasizing the importance of audit controls, not only with the settlement with MHS but also in a recent monthly cybersecurity newsletter.
“Audit controls are an integral part of an organization’s approach to safeguarding PHI,” he says. “The enterprise-wide information security risk analysis that is periodically performed by every covered entity and business associate is critical to identifying the information that should be collected from an audit log and how often the audit reports should be reviewed. During the risk analysis, a covered entity needs to define the reasons for establishing audit trail mechanisms and procedures for its electronic information systems that contain or use electronic protected health information.”
The resolution agreement with MHS is OCR’s fourth HIPAA enforcement action so far in 2017, and the agency’s second largest HIPAA settlement to date.
The largest HIPAA settlement – $5.55 million – was signed in August 2016 with Chicago-based Advocate Health Care Network after investigations into three 2013 breaches. The largest Advocate incident involved the theft of four stolen unencrypted computers, which affected about 4 million individuals.
Source: SANS ISC SecNewsFeed @ February 16, 2017 at 04:12PM