Steep Fines for HIPAA Violations
Last week, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced two different organization have agreed to pay hefty fines in to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. What did both violators have in common? They each fell victim to hacking incidents that led to massive data exposures.
On September 21, 2020, OCR announced that Athens Orthopedic Clinic PA has agreed to pay $1.5 million to settle potential HIPAA violations. On June 26, 2016, Athens Orthopedic was notified of a potential data exposure by a journalist who contacted the clinic claiming that a database of their patient records may have been posted online for sale. Just two days later, a hacker contacted the clinic demanding money in return for the stolen database which contained protected health information (PHI) of over 200,000 patients and included patient name, date of birth, social security number, medical procedures, test results, and health insurance information.
On June 14, 2016, a vendor’s credentials were used to access the clinic’s electronic medical record system and exfiltrate patient data; the hacker had access for over one month. At the end of July, the clinic filed a breach report informing OCR that 208,557 individuals were affected by this breach. OCR’s investigation discovered systemic noncompliance with the HIPAA Privacy and Security Rules, such as failures to conduct a risk analysis, implement risk management and audit controls, secure business associate agreements appropriately, and provide HIPAA training to workforce members.
On September 21, 2020, OCR announced that CHSPSC LLC, a business associate that provides IT and health information management services to hospitals and physician clinics, has agreed to pay $2.3 million to settle potential HIPAA violations following a breach affecting over six million people.
In April 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that it had traced a cyberhacking group’s advanced threat to the vendor’s information system. Despite notice from the FBI, the hackers had access to the vendor’s system until August 2014 and exfiltrated the PHI of 6,121,158 individuals. The hackers used compromised administrative credentials and accessed the system remotely through the vendor’s virtual private network. OCR’s investigation found longstanding and systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement system activity reviews, security incident procedures, and access controls.
In addition to the monetary settlement, both Athens Orthopedics and CHSPSC have agreed to a robust corrective action plan that includes two years of monitoring. “Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.
The HIPAA Security Rule requires patient information be properly protected by those that come into contact with it. Additionally, University policy requires all employees to practice proper email and password management to prevent hacking incidents. Below are some essential tips for safeguarding your credentials:
- Use strong passwords – do not use familiar names, personal information or easily guessed passwords such as “password” or sequences “12345.”
- Change passwords frequently (at least every 90 days) to prevent unauthorized users from using automated tools to guess your password.
- Do not share your credentials with anyone@
- Use Multi-Factor Authentication (MFA) which creates a layered defense against unauthorized users accessing your information.
- Minimize the use of your UM email address in online submissions to reduce spam.
- Do not give out your email address arbitrarily.
- Never click on links or open files that appear suspicious or are from an unknown source.
- Verify that the sender’s email address is authentic!
- Delete spam, chain, clutter and other junk email.
- Do NOT forward and do NOT reply to spam or junk mail.
It is important to remember that you are entrusted with maintaining the privacy of our patients, students, faculty and staff. If you suspect that your account or credentials have been compromised, immediately contact the UMIT Help Desk at 305-243-5999 or email@example.com.
If you suspect or receive notification of a breach or potential data exposure, please notify the UHealth Privacy Office immediately at 305-243-5000 or firstname.lastname@example.org.