By Kelli Ogunlesi, CHP, HIPAAwise Success Manager
The last week of September proved to be a very busy one for the Office of Civil Rights (OCR), the federal agency responsible for enforcing HIPAA privacy and security rules. From September 21 through the 25th, the OCR announced three separate settlements totaling $10.65 million. Each incident shares some missing elements that many organizations lack for a variety of reasons.
Let’s take a look at each settlement on its own:
9/25/20 – Premera Blue Cross (PBC) - $6.85 million
On March 17, 2015, PBC filed a breach report on behalf of itself and its network of affiliates stating that cyber-attackers had gained unauthorized access to its information technology (IT) system. The hackers used a phishing email to install malware that gave them access to PBC’s IT system in May 2014, which went undetected for nearly nine months until January 2015. This undetected cyberattack, otherwise known as an advanced persistent threat, resulted in the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.
OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.
9/23/20 – CHSPSC LLC, (“CHSPSC”) – $2.3 million
CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee.
In April 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that it had traced a cyber hacking group’s advanced persistent threat to CHSPSC’s information system. Despite this notice, the hackers continued to access and exfiltrate the protected health information (PHI) of 6,121,158 individuals until August 2014. The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network.
OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and access controls.
9/21/20 – Athens Orthopedic Clinic PA ("Athens Orthopedic") - $1.5 million
Athens Orthopedic, located in Georgia, provides orthopedic services to approximately 138,000 patients annually. On June 26, 2016, a journalist notified Athens Orthopedic that a database of their patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole. Athens Orthopedic subsequently determined that the hacker used a vendor's credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016.
On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach, and that the PHI disclosed included patients' names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.
OCR's investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.
In addition to the monetary settlements, each organization listed has agreed to a robust corrective action plan that includes two years of monitoring.
As you can see, each of these settlements resulted from an outside attack than went undetected primarily due to:
- Lack of enterprise wide Risk Analysis
- Proper access and/or audit controls in place.
Breaches are inevitable, and as providers, the data you are responsible to safeguard is a potential gold mine so it is so important that you are doing everything that is reasonable & appropriate to safeguard the PHI in your domain.
"Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients' health data a tempting target for hackers," said OCR Director Roger Severino.
Let HIPAAwise help you organize, enhance, and identify gaps in your HIPAA Compliance program. Contact us today for more information!