The not-for-profit Florida Memorial Healthcare System (MHS) agreed to pay $5.5 million for a HIPAA breach.
MHS reported that its employees and office staff impermissibly accessed more than 115,000 individuals’ health information. This included patients’ names, dates of birth, and social security numbers, all of which were stored in an electronic protected health information (ePHI) database. Although MHS did have policies in place to protect their patients, they failed to review and terminate user’s rights of access to ePHI, so a former employee’s login was being used to access the database illegally. The database was improperly accessed on a daily basis for a full year beginning in April 2011.
The Acting Director of HHS’ Office for Civil Rights, Robinsue Frohboese, reiterated that:
"Access to ePHI must be provided only to authorized users, including affiliated physician office staff. Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered business associates to not only recover from breaches, but to prevent them before they happen.”
The MHS settlement is tied for the largest ever for a HIPAA breach.
The other $5.5 million settlement involved Illinois Advocate Health Care, which compromised the ePHI of more than 4 million patients. In 2013, Advocate reported three separate data breaches which involved medical information and credit card numbers.
In July 2013, four unencrypted laptops containing ePHI were stolen from an Advocate administrative office, potentially compromising more than 2,000 patients’ data. As Advocate’s privacy risks were assessed, the number of patients potentially affected by their various breaches climbed into the millions.
When HHS investigated, it found that Advocate failed to assess data risks, safeguard a laptop left overnight in an unlocked vehicle, and limit access to its information systems. Along with the $5.5 million settlement, Advocate was also required to adopt a corrective action plan addressing its failures to comply with the law.
OCR’s then-Director Jocelyn Samuels said:
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ electronic protected health information is secure.”
Since last November, HIPAA settlements involving electronic data breaches have exceeded $16 million. A not-so-gentle reminder to conduct your risk assessments annually, perform your monthly privacy monitoring tasks, and maintain your policies.
(1) US Department of Health and Human Services, $5.5 million HIPAA settlement shines light on importance of audit controls, HHS Press Office (Feb 16, 2017).
(2) Lisa Schencker, Advocate to pay $5.5 million over data breach: record HIPAA settlement, Chicago Tribune (Aug 5, 2016).
(3) HIPAA Breach News, Largest Ever HIPAA Settlement: Advocate Health to Pay OCR $5.5 Million, HIPAA Journal (Aug 5, 2016).
(4) Dan Mangan, Why 2016 could be banner year for health-care breach fines, CNBC (Aug 5, 2016).