Dive Brief:
- Memorial Healthcare Systems has paid HHS $5.5 million to settle potential HIPAA violations, HHS disclosed on Thursday.
- The six-hospital nonprofit system disclosed to HHS' OCR that 115,143 individuals' protected health information (PHI) had been impermissibly accessed by employees and impermissibly disclosed to affiliated physician office staff.
- The settlement comes weeks after Children's Medical Center of Dallas was fined $3.2 million over HIPAA violations.
Dive Insight:
The settlement highlights the importance for hospitals and health systems to keep audit and access controls in check. A recent Protenus report found 31 health data breaches occurred this January affecting 388,307 patient records, 59.2% of the breaches – impacting 230,044 patient records – were a result of insiders. In 2016, 43% of health breaches were a result of insiders, the cybersecurity firm found.
"The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals," HHS stated regarding the Memorial settlement. "Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules. Further, MHS failed to regularly review records of information system activity on applications that maintain electronic PHI by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012."
Robinsue Frohboese, acting director, HHS Office for Civil Rights, recommended organizations implement audit controls and review audit logs regularly. "As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen," she said.
This settlement along with the Children's Medical Center of Dallas highlights HHS is serious about enforcing violations and it can be costly to providers and health systems. The fact these settlements, fines come five to seven years after their original breach notification may worry some providers with more recent data breaches.
Memorial Healthcare System provided Healthcare Dive the following statement on the subject:
It’s important to put this settlement in perspective to the fact that this situation happened six years ago, and that Memorial Healthcare System proactively reported the actions of the two employees and the findings of its internal investigation regarding the affiliated physicians’ staff to the Department of Health and Human Services’ Office of Civil Rights (OCR). Upon learning of the breaches, Memorial quickly acted to implement new, sophisticated technologies designed to monitor use and access of patient data, further restricted access to protect patient information, and enacted new policies and procedures to enhance password security.
Memorial’s February 2017 settlement with the OCR resolves all allegations surrounding these breaches. While Memorial strongly disagrees with many of OCR’s allegations, has admitted no liability and has chosen to settle this case, it nevertheless agrees with the importance OCR places on maintaining the security of patient information. We will continue to vigorously monitor access and use of patient information and maintain rigorous cybersecurity and internal safeguards.