Poor Access Management Leads to $5.5M HIPAA Penalty

Hospital chain settles claim it exposed 80,000 people's private data, leading to identity theft

Data Center Knowledge

February 17, 2017

2 Min Read
Poor Access Management Leads to $5.5M HIPAA Penalty
A nurse files patient records in Berlin, Germany. (Photo by Adam Berry/Getty Images)


Brought to you by MSPmentor

A Miami, Fla.-area nonprofit this week paid $5.5 million to settle a HIPAA case alleging that credentials of former employees were used to access electronic protected health information (ePHI) of 80,000 people – some of whom were later victims of identity theft.

South Broward Hospital District, which does business as Memorial Healthcare System (MHS), initially reported in April of 2012, that two former employees had improperly accessed ePHI.

The nonprofit hospital chain filed a follow-up case three months later, saying they had found evidence of additional breaches by 12 other employees who worked at affiliated physicians offices.

Investigators from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) determined that MHS failed to revoke access of former employees, failed to review logs and access records, and had inadequate policies for managing employee permissions to networks containing ePHI.

“Access to ePHI must be provided only to authorized users, including affiliated physician office staff,” Robinsue Frohboese, acting OCR director, said in a statement Thursday.

“Further, organizations must implement audit controls and review audit logs regularly,” the statement continued. “As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

IT service providers continue to strike gold working in the healthcare vertical. But the lucrative market also poses substantial risks for covered entities and authorized business associates – often third-party IT service providers – in the event ePHI is mishandled.

In the latest case, MHS reported their suspicion that as many as 105,646 individuals might have been affected, though OCR investigators ultimately placed the final tally at about 80,000.

Still, the impact was significant.

“Some of these instances led to federal charges relating to selling protected health information and filing fraudulent tax returns,” OCR investigators said in a document detailing terms of the settlement.

As part of the agreement, MHS also agreed to comply with a corrective action plan.

The $5.5 million payment is tied for the largest HIPAA breach penalty levied so far and marks a continuation of an enforcement crackdown that dates back to the start of last year.

OCR has collected $11.4 million so far in 2017.

That’s compared to $23.5 million last year, and just $6.2 million levied in all of 2015.

This article originally appeared on MSPmentor.

Read more about:

Data Center Knowledge

About the Author(s)

Data Center Knowledge

Data Center Knowledge, a sister site to ITPro Today, is a leading online source of daily news and analysis about the data center industry. Areas of coverage include power and cooling technology, processor and server architecture, networks, storage, the colocation industry, data center company stocks, cloud, the modern hyper-scale data center space, edge computing, infrastructure for machine learning, and virtual and augmented reality. Each month, hundreds of thousands of data center professionals (C-level, business, IT and facilities decision-makers) turn to DCK to help them develop data center strategies and/or design, build and manage world-class data centers. These buyers and decision-makers rely on DCK as a trusted source of breaking news and expertise on these specialized facilities.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like