Dive Brief:
- Irvine, CA-based St. Joseph's Health will pay U.S. government $2.14 million to settle alleged HIPAA violations.
- From February 2011 to February 2012, files in St. Joseph’s electronic medical records system were publicly accessible through online search engines, potentially exposing the public health information of 31,800 people, according to HHS.
- The integrated health system has also agreed to a corrective action plan to prevent future security breaches.
Dive Insight:
St. Joseph failed to modify a server whose default setting allowed anyone to access the files over the internet, according to HHS. The health system had purchased the server for use in demonstrating meaningful use under the Medicare program.
When the problem was discovered, St. Joseph brought in outside experts to assess the system’s vulnerabilities but never conducted an enterprise-wide analysis, HHS says.
The $2,140,500 settlement underscores the need to be on top of security risks. In August, Advocate Health Care agreed to pay HHS’ Office for Civil Rights $5.55 million to settle alleged HIPAA violations also related to the failure to assess vulnerabilities in its electronic information systems.
“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impact ePHI (electronic protected health information),” OCR Director Jocelyn Samuels said in a statement.
Under the corrective action plan, St. Joseph agreed to do a business-wide risk analysis, implement a risk management plan, revise its security policies and procedures, and provide staff training on those changes.