Phishing Attack Results in $400,000 HIPAA Breach Fine

The payment by a Denver-based network of public health clinics marks the first settlement deal since shortly after the federal office responsible for HIPAA enforcement changed leadership in January.

Aldrin Brown, Editor-in-Chief

April 12, 2017

2 Min Read
Phishing Attack Results in 400000 HIPAA Breach Fine

A Denver, Colo.-area network of public health clinics paid a $400,000 HIPAA breach penalty after a phishing attack let a hacker gain access to employee email accounts and obtain electronic protected health information (ePHI) of 3,200 patients, federal authorities said today.    

Metro Community Provider Network (MCPN) – which provides primary medical care, pharmacies, social work, dental and behavioral care to roughly 43,000 mostly poor patients – reported the breach in January of 2012.

Investigators from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) found that MCPN violated the HIPAA Security Rule by failing to do proper risk assessments or implement adequate cybersecurity measures and procedures.

“Specifically, MCPN has failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by MCPN,” OCR wrote in the official Resolution Agreement. “Further, MCPN has failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”   

Investigators indicated the financial component of the settlement might have been higher but OCR considered the public benefit of the services provided by the nonprofit.

MCPN is a federally qualified health center (FQHC), which means it receives government reimbursement for treating people with incomes at or below the poverty line.

“With this settlement amount, OCR considered MCPN’s status as a FQHC when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care,” OCR said in a statement today.

MCPN must also adhere to a corrective action plan.

The payment marks the first agreement in nearly two months, following three settlements totaling $11.4 million during the first six weeks of 2017.

That pause coincided with the transition in presidential administration and prompted some observers to question whether new OCR Director Roger Severino would continue an enforcement crackdown that began under his predecessor Jocelyn Samuels.

“Patients seeking health care trust that their providers will safeguard and protect their health information,” Severino said in today’s OCR statement. “Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

Compliance with the security and privacy rules of the Health Insurance Portability and Accountability Act has become increasingly important to IT services providers working in healthcare.

Though lucrative, the vertical also carries risks for managed service providers (MSPs), who are required to sign business associate agreements (BAAs) which expose them to liability in the event that ePHI is mishandled. 

The MCPN settlement brings to $11.8 million the amount of HIPAA breach payments collected by OCR thus far this year.

Last year, the agency collected a record $23.5 million, up from $6.2 million in all of 2015.

 

Send tips and news to [email protected].

Read more about:

AgentsMSPsVARs/SIs

About the Author

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.

 

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like