Federal regulators have signed a $5.5 million HIPAA settlement with a Florida-based healthcare system for breaches related to unauthorized access to tens of thousands of patients’ information by employees that lasted for more than a year and that subsequently led to criminal charges. It’s the second largest such settlement to date.
In a Feb. 16 statement, the Department of Health and Human Services’ Office for Civil Rights says Memorial Healthcare System, based in Hollywood, Fla., paid the huge financial settlement and agreed to a corrective action plan to address a variety of security control failures related to the insider incidents.
Not-for-profit MHS operates six hospitals, an urgent care center, a nursing home and a variety of ancillary healthcare facilities throughout South Florida. MHS is also affiliated with physician offices through an organized health care arrangement, or OHCA, HHS notes.
The resolution agreement between MHS and OCR notes that on April 12, 2012, MHS submitted a breach report indicating that two employees inappropriately accessed patient information, including names, dates of birth, and Social Security numbers.
The HHS “wall of shame” website listing breaches affecting 500 or more individuals indicates that the MHS breach was reported as affecting nearly 9,500 individuals.
The resolution agreement also notes, however, that on July 11, 2012, MHS submitted another breach report to notify HHS that during its internal investigation, it discovered additional impermissible access by 12 users at affiliated physician offices, potentially affecting another 105,646 individuals.
“Some of these instances led to federal charges relating to selling protected health information and filing fraudulent tax returns,” the resolution agreement notes.
In a statement, OCR says the login credentials of a former employee of an affiliated physician’s office had been used to access the electronic PHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals.
“Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules,” OCR says.
Further, MHS failed to regularly review records of information system activity on applications that maintain ePHI by workforce users and users at affiliated physician practices, despite having identified this risk in several risk analyses conducted by MHS from 2007 to 2012, OCR says.
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergiTek notes: “The size of the monetary settlement paid by Memorial Healthcare System, as well as the exhaustive corrective action plan, is an indication of the seriousness of the harm caused by the failure to put into place reasonable safeguards and practices that could have easily prevented the misuse of the information system.”
In a statement provided to Information Security Media Group, MHS says: “It’s important to put this settlement in perspective to the fact that this situation happened six years ago, and that Memorial Healthcare System proactively reported the actions of the two employees and the findings of its internal investigation regarding the affiliated physicians’ staff to the HHS’ OCR. It also simultaneously notified all patients who may have been affected and provided them with free credit-monitoring. Memorial worked closely with law enforcement to assist in their investigations, which ultimately led to federal prosecution and conviction of the criminals.”
Upon learning of the breaches, Memorial quickly acted to implement new, sophisticated technologies designed to monitor use and access of patient data, further restricted access to protect patient information, and enacted new policies and procedures to enhance password security, the statement notes. ” Memorial hired IBM … to provide assessment, response, and monitoring services. IBM continues to provide cybersecurity services to Memorial today. Memorial also hired an independent technology firm to conduct network audits and scans.”
The statement adds: “While Memorial strongly disagrees with many of OCR’s allegations, has admitted no liability and has chosen to settle this case, it nevertheless agrees with the importance OCR places on maintaining the security of patient information.”
Corrective Action Plan
Under the settlement with OCR, MHS has agreed a corrective action plan requires it to:
- Complete a risk analysis and implement a risk management plan to mitigate risks and vulnerabilities identified;
- Revise its policies and procedures regarding information system activity to require the regular review of audit logs, access reports and security incident tracking;
- Revise policies and procedures regarding user access establishment, modification and termination including protocols for access to MHS’s e-PHI by affiliated physicians, their practices and their employees;
- Distribute the OCR-approved revised policies and procedures to all MHS workforce members, including those of covered entities that are owned, controlled or managed by MHS, as well as all business associates, vendors and affiliated physician practices.
Holtzman notes that OCR has been emphasizing the importance of audit controls, not only with the settlement with MHS but also in a recent monthly cybersecurity newsletter.
“Audit controls are an integral part of an organization’s approach to safeguarding PHI,” he says. “The enterprise-wide information security risk analysis that is periodically performed by every covered entity and business associate is critical to identifying the information that should be collected from an audit log and how often the audit reports should be reviewed. During the risk analysis, a covered entity needs to define the reasons for establishing audit trail mechanisms and procedures for its electronic information systems that contain or use electronic protected health information.”
The resolution agreement with MHS is OCR’s fourth HIPAA enforcement action so far in 2017, and the agency’s second largest HIPAA settlement to date.
The largest HIPAA settlement – $5.55 million – was signed in August 2016 with Chicago-based Advocate Health Care Network after investigations into three 2013 breaches. The largest Advocate incident involved the theft of four stolen unencrypted computers, which affected about 4 million individuals.