Legal News

Seasonal Worker Sentenced to 42 Months Imprisonment for Stealing Data from Healthcare.Gov Database

Posted by HIPAA Journal

A seasonal employee at a Virginia-based tech company that supported the Centers for Medicare & Medicaid Services (CMS) by operating contact centers that provided assistance with Medicare enrollment and other services, has been sentenced to 42 months in jail for accessing patient records, stealing personally identifiable information (PII), and using the PII for financial gain.

While working at a call center in Bogalusa, LA, Colbi Trent Defiore, 27, of Carriere, MS, accessed the protected health information of more than 8,000 individuals stored in the HHS healthcare.gov database without authorization, copied that information, and used it for criminal activity, including opening credit lines in individuals’ names.

Defiore had been employed by the company on three occasions in 2014, 2017, and 2018. He was discovered to have accessed records without authorization during his last employment period.  The company had taken steps to ensure personally identifiable information (PII) was protected and had provided training to all employees on how to handle that information securely.

In November 2018, Defiore conducted bulk searches of the database, which were not permitted, and copied that information to a virtual clipboard. The information was then pasted into his work email account and was sent to his email account at the company. The stolen data was then used to fraudulently apply for at least 6 credit cards and loans and to open lines of credit for personal financial gain.

The tech company identified the unauthorized access and reported the matter to law enforcement. The company was able to supply law enforcement with video and audio recordings of Defiore during a phone call with a customer on November 6, 2018. The recordings showed Defiore conducting a bulk search of the database using first and last names unrelated to the call he was on. A data loss prevention tool also identified suspicious activity related to PII data.

Defiore was discovered to have remotely accessed his work email account outside of work hours on multiple occasions to retrieve the data. Prosecutors explained that the company’s data center was located in Virginia, so when Defiore transferred the PII to his work email account, the information crossed state lines making this a federal crime.

According to court documents, Defiore’s employer had implemented security measures to prevent customer service representatives such as Defiore from remotely accessing work email accounts. A single sign-on, multi-factor authentication application had been implemented for remote access, which could be accessed from a computer or mobile application. A software token was required to verify a user and complete the remote login process.

Defiore set up the multifactor authentication on a mobile phone using a Virtual Private Network in October 2018 and obtained the software token that would permit him to remotely access his work email account on his personal mobile phone or computer. The investigation revealed an IP address associated with Defiore had been used to remotely access his work email account.

Defiore’s actions resulted in $587,000 in losses for his employer, which included breach notification costs and providing identity theft protection services to the individuals whose PII was stolen.

Defiore pleaded guilty to one count of intentionally accessing a protected computer in excess of authorization for the purpose of commercial advantage and private financial gain. In addition to the 42-month jail term, Defiore will have to undergo 3-years of supervised release and is required to pay a $100 special assessment fee. A hearing has been scheduled for January 12, 2021 to determine the amount of restitution Defiore must pay.

The post Seasonal Worker Sentenced to 42 Months Imprisonment for Stealing Data from Healthcare.Gov Database appeared first on HIPAA Journal.

Kalispell Regional Healthcare Proposes 4.2 Million Settlement to Resolve Data Breach Lawsuit

Posted by HIPAA Journal

The Montana-based healthcare provider Kalispell Regional Healthcare has proposed a $4.2 million settlement to resolve a lawsuit filed on behalf of victims of a data breach that was announced in October 2019.

The lawsuit was filed shortly after the announcement that the protected health information of approximately 130,000 patients had been impermissibly disclosed as a result of a sophisticated phishing attack. Unauthorized individuals had gained access to several email accounts after employees responded to phishing emails and disclosed their login credentials. The attackers first gained access to the email accounts on May 24, 2019 and were able to continue to access the accounts for several months. The compromised email accounts contained PHI such as names, addresses, telephone numbers, dates of birth, medical record numbers, medical histories, Social Security numbers, and health insurance information. Around 250 Social Security numbers are known to have been stolen by the attackers.

The lawsuit alleged Kalispell Regional Healthcare had failed to implement appropriate measures to ensure the privacy of patient data, had not provided adequate security awareness training to its employees, and was not adequately monitoring for potential compromises. If that were the case, the breach would have been detected far more rapidly. The lawsuit also alleged Kalispell Regional Healthcare had not provided breach victims with timely notifications, was not adhering to industry-recognized standards and cybersecurity best practices and was in violation of the Montana Uniform Health Care Information Act.

Prior to the data breach, Kalispell Regional Healthcare said it had implemented a range of cybersecurity measures to keep the PHI of patients private and confidential. At the time of the breach, a leading cybersecurity consulting firm confirmed that Kalispell Regional Healthcare ranked in the top 9% of healthcare organizations for cybersecurity compliance, yet the measures put in place were still not sufficient to prevent the breach.

The decision to settle the lawsuit was made to bring the lawsuit to a close and prevent ongoing legal costs. Kalispell Regional Healthcare has denied any wrongdoing and has not admitted liability for the breach.

Under the terms of the settlement, a $4.2 million fund will be made available to cover various forms of relief for breach victims, including reimbursement for out-of-pocket expenses, reimbursement for time spent arranging identification restoration services and credit-monitoring services, a three year complimentary membership to Experian credit monitoring services, and five years of free identity theft restoration services. Plaintiffs are entitled to claim up to $15,000 for out-of-pocket expenses and up to $75 reimbursement for time spent in response to the breach.

The settlement must now go before Eighth Judicial District Court Judge Elizabeth Best to be approved. The final approval hearing is scheduled for January 5, 2021. If the settlement is approved, plaintiffs will have until February 25, 2021 to submit their claims.

The post Kalispell Regional Healthcare Proposes 4.2 Million Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach

Posted by HIPAA Journal

Mayo Clinic is facing multiple class action lawsuits over an insider data breach reported in October 2020. Mayo Clinic discovered a former employee had accessed the medical records of 1,600 patients without authorization and viewed information such as patient names, demographic information, dates of birth, medical record numbers, medical images, and clinical notes.

The Health Insurance Portability and Accountability Act (HIPAA) requires all HIPAA-covered entities to implement safeguards to ensure the privacy, confidentiality, and integrity of protected health information and limits the disclosures and uses of that information when patient consent is not obtained.

Healthcare employees are permitted to access PHI in the course of their work duties, but in this case the former employee had no legitimate work reason for viewing the records. The unauthorized access is in violation of the HIPAA Rules; however, there is no private cause of action in HIPAA, so individuals affected by such a breach cannot take legal action for any HIPAA violation that results in their medical records being exposed or compromised.

Two lawsuits have recently been filed in Minnesota state courts alleging violations of the Minnesota Health Records Act (MHRA), which introduced stricter regulations covering the privacy of healthcare data in Minnesota. MHRA applies to all applies to all Minnesota-licensed physicians and the legislation does have a private cause of action, so patients whose providers violate MHRA can be sued.

The lawsuit alleges Mayo Clinic did not implement systems or procedures to ensure plaintiffs’ and similarly situated individuals’ health records would be protected and not subject to unauthorized access, and that the former employee accessed the plaintiffs’ medical records without first obtaining their consent.

Under MHRA, healthcare providers must obtain a signed and dated consent form from a patient or the patient’s legal representative authorizing the release of their medical records, unless there is a specific authorization in law, or when there is a representation from a provider holding a signed and dated consent form from the patient in question authorizing the release of their medical records.

The lawsuit also brings common law tort claims for the invasion of privacy, negligent infliction of emotional distress, and vicarious liability. A major contributory factor to the emotional distress was some of the medical images that were accessible included nude photographs of patients taken in connection with their cancer treatments. The plaintiffs seek monetary damages and other relief deemed appropriate by the courts.

The post Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach appeared first on HIPAA Journal.

Zoll Sues IT Vendor for 277,000-Record Server Migration Data Breach

Posted by HIPAA Journal

A lawsuit has been filed in the US District Court in Massachusetts by the medical device vendor Zoll which alleges its IT service vendor, Campbell, CA-based Barracuda Networks, was negligent for botching a server migration which resulted in the exposure of the protected health information of 277,139 patients.

The breach in question involved archived emails that were being migrated to a new email archiving service. A configuration error resulted in the exposure of those emails for more than 2 months between November 8, 2018 and December 28, 2020. The configuration error was corrected, but Zoll was not informed about the breach until January 24, 2019. The breach investigation revealed the exposed emails contained patient information such as names, contact information, birth dates, medical information, and for certain patients, Social Security numbers.

Zoll had contracted with a company called Apptix – now Fusion Connect – in 2012 and entered into a business associate agreement to provide hosted business communication solutions. Apptix then entered into a contract with a company called Sonian to provide services such as email archiving. Sonian was acquired by Barracuda Networks in 2017.

According to the lawsuit, Barracuda Networks learned of the breach on January 1, 2019. Its investigation revealed an error had been made and a data port had been left open, which exposed the email search function of the migration tool on a small portion of the indices. The port remained open for almost 7 weeks before the error was identified and the port was closed. While the port was open an unauthorized individual gained access to email data and “consistently executed an automated search of the archive.”

A breach of protected health information of this nature has implications for patients. Affected patients suffered injury and damages as a result of the exposure and theft of their personal and healthcare data. A lawsuit was filed against Zoll in April 2019 on behalf of patients affected by the breach. Zoll sought indemnification from Apptix; however, the company did not respond. The lawsuit has since been settled.

In addition to settlement and legal costs incurred, Zoll expended internal and external resources investigating and mitigating the breach, sending breach notification letters to affected patients, and providing free access to services to protect patients against loss and harm. The lawsuit seeks to recover those costs from Baracuda Networks.

Zoll alleges Barracuda Networks was negligent for failing to implement reasonable precautions and safeguards to protect Zoll’s data and that Barracuda Networks did not fully cooperate with Zoll’s investigation. Zoll alleges its investigators were not provided with access to Barracuda Networks’ online environment and that many of the investigators’ questions were not answered. Zoll said it was not told the dates when patient data was exposed, the types of data accessed, and whether any information had been exfiltrated by the attackers.

The lawsuit states that Barracuda Networks did respond to the breach and implemented additional safeguards, policies and procedures to prevent similar incidents from occurring in the future, but breached its duties to implement reasonable protections prior to the breach to protect Zoll data. Zol also alleges a breach of implied warranty of merchantability, as the email archiving solution was warranted to be suitable for secure email archiving, when security flaws allowed unauthorized individuals to access confidential archived data. Zoll also alleges the email archiving solution was flawed and not fit for purpose and consequently Barracuda Networks breached the implied warranty for fitness for a particular purpose.

The post Zoll Sues IT Vendor for 277,000-Record Server Migration Data Breach appeared first on HIPAA Journal.

$350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit

Posted by HIPAA Journal

A $350,000 settlement has been reached between Saint Francis Healthcare System and patients impacted by a September 2019 ransomware attack on Ferguson Medical Group (FMG).

FMG was acquired by Saint Francis after a cyberattack that rendered data, including electronic medical records, on FMG systems inaccessible. The decision was taken to restore the encrypted data from backups rather than pay the ransom, and while patient data and other files were recovered, it was not possible to recover all data encrypted in the attack. FMG was unable to restore a batch of data related to medical services provided to patients between September 20, 2018 and December 31, 2018 which has been permanently lost. FMG announced the incident impacted around 107,000 patients, and those individuals were offered complimentary membership to credit monitoring services.

A class action lawsuit was filed against Saint Francis Healthcare in January 2020 in the U.S. District Court of Eastern Missouri which alleged negligence per se, breach of express and implied contracts, invasion of privacy, and violations of the Missouri Merchandise Practices Act. Almost 90,000 of the affected patients added their name to the lawsuit.

While credit monitoring services had been offered to affected individuals, the plaintiffs sought compensation for costs incurred as a result of the data breach and attorneys’ fees. The lawsuit also demanded Saint Francis Healthcare implement additional safeguards to improve data security.

A motion to dismiss the lawsuit was filed by Saint Francis Healthcare in March 2020 as it was claimed the plaintiffs failed to state a plausible cause for relief. The plaintiffs maintained the motion to dismiss lacked merit; however, if the case were to go to trial, the outcome would be unpredictable. Both parties agreed to attempt to settle the case out of court.

The proposed settlement will see all plaintiffs provided with a maximum of $280 to cover out-of-pocket expenses incurred as a result of the breach, additional credit monitoring services, and compensation for time spent protecting their identities.

Saint Francis Healthcare has also agreed to make improvements to security, including reviewing firewall rules, automatically updating its firewall to the latest version and applying patches promptly, restricting remote access to legacy systems, developing and implementing new password management policies, adding multi-factor authentication to its VPN access points, removing RDP from its vendor access solution, implementing geo-blocking for traffic to certain IP addresses, implementing a vulnerability scanning program, and providing more comprehensive cybersecurity training to the workforce.

The settlement now awaits approval from a judge. A conference with District Judge Stephen R. Clark of the District Court of Eastern Missouri is scheduled for November 17, 2020.

The post $350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit appeared first on HIPAA Journal.

Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules

Posted by HIPAA Journal

A healthcare worker who was accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules and patient privacy by sending photographs of patients to unauthorized individuals has been cleared of any wrongdoing, following an investigation by federal law enforcement. A former acquaintance of the healthcare worker was discovered to have concocted a scheme to frame his former acquaintance for fictitious HIPAA violations and is now facing a prison sentence for making false statements.

Jeffrey Parker, 43, of Richmond Hill, GA, concocted an elaborate scheme to frame the former acquaintance for violations of patient privacy. In U. S. District Court in the Southern District of Georgia, Parker pled guilty to one count of false statements and admitted creating fake email addresses and concocting information in an effort to harm a former acquaintance. Parker portrayed himself as a whistleblower and contacted the U.S. Department of Justice (DOJ), Federal Bureau of Investigation (FBI) and the hospital where the healthcare worker was employed to make false allegations of HIPAA violations.

Several email addresses were created using the real names of individuals. Parker impersonated each to accuse the healthcare worker of violating patient privacy and the HIPAA Rules. Parker also claimed to have been threatened for reporting the HIPAA violations and acting as a whistleblower. The FBI investigated the case promptly to ensure Parker’s safety but identified inconsistencies in his account of events. After further investigation, Parker admitted he had concocted the scheme to harm the former acquaintance.

“This fake complaint not only caused potential harm for an innocent victim, but it also unnecessarily diverted resources from federal investigators whose diligent work shredded his web of lies,” said Bobby L. Christine, U.S. Attorney for the Southern District of Georgia.

“Many hours of investigative resources were wasted determining Parkers’ whistleblower claims were a scheme to damage a former acquaintance,” said Chris Hacker, Special Agent in Charge of FBI Atlanta. “Now he will pay for his deliberate transgression and we can affirm that these types of actions will be exposed and punished.”

Parker faces a maximum sentence of 5 years in jail.

The post Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules appeared first on HIPAA Journal.

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

Posted by HIPAA Journal

The Indianapolis, IN-based health insurer Anthem Inc. has settled multi-state actions by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 41 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States.

The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed accomplice were charged in connection with the cyberattack in May 2019.

A breach on that scale naturally attracted the attention of the HHS’ Office for Civil Rights (OCR), which investigated the breach and discovered multiple potential violations of the HIPAA Rules. Anthem settled the HIPAA violation case with OCR for $16 million in October 2018. The HIPAA violation penalty was, and still is, the largest ever financial penalty imposed on a covered entity or business associate for violations of the HIPAA Rules.

Many lawsuits were filed on behalf of victims of the data breach over the theft of their protected health information. Anthem settled the consolidated class action lawsuit for in 2018 for $115 million.

State Attorneys General investigated the breach to determine whether HIPAA and state laws had been violated. The multi-state investigation has taken 5 years to come to a conclusion, but the settlements now draw a line under the breach. Anthem has now paid $179.2 million to settle lawsuits and legal actions over the 2014 cyberattack.

In addition to the $48.2 million financial penalty, Anthem agreed to take a number of corrective actions to improve data security practices. These include implementing a comprehensive information security program based on the principles of zero trust architecture. Regular security reports are now sent to the board of directors and significant security events are reported promptly to the CEO.

Anthem has implemented multi-factor authentication, network segmentation, access controls, data encryption, is logging and monitoring information system activity. Anthem is conducting regular security risk assessments and penetration tests and provides regular security awareness training to its workforce. The corrective action plan also includes the requirement to undergo third-party security audits and assessments for three years, and to provide the results of those audits to a third-party assessor.

Anthem issued a statement in relation to the settlements saying, “[Anthem] does not believe it violated the law in connection with its data security and is not admitting to any such violations,” and also said that there had been no evidence uncovered to indicate any information stolen in the attack has been used to commit fraud or identity theft.

“When consumers must disclose confidential personal information to health insurers, these companies owe their customers the duty to protect their private data,” said California Attorney General Xavier Becerra. “Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return.”

The post Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties appeared first on HIPAA Journal.

Slew of Lawsuits Filed Over Recent Healthcare Data Breaches

Posted by HIPAA Journal

Individuals impacted by the recent data breaches at Blackbaud, Assured imaging, and BJC Healthcare have taken legal action over the exposure and theft of their personal and protected health information.

Multiple Lawsuits Filed Over Blackbaud Ransomware Attack

The data breach at Blackbaud is one of the largest ever breaches of healthcare data to be reported. It is currently unclear exactly how many healthcare entities have been affected, as each affected entity is reporting the breach separately. As the deadline for reporting approaches, the extent of the breach is becoming clearer. Currently, at least 5 million individuals are known to have been affected and around 60 healthcare organizations have confirmed they have been impacted by the breach.

As is now common in ransomware attacks, data were exfiltrated by the hackers prior to the use of ransomware. Blackbaud paid the ransom demand to obtain the keys to decrypt data and to ensure that all stolen data were permanently deleted. Blackbaud has received assurances that the stolen data have been deleted, but as a result of the breach, individuals whose information was stolen in the attack have still had to take steps to protect their identities and many have incurred out-of-pocket expenses as a result of the breach.

At least 10 lawsuits have now been filed against Blackbaud and seek class action status. The lawsuits allege negligence, breach of contract, invasion of privacy, and violations of several state laws.

Blackbaud may have received assurances that stolen data have been deleted, but there is concern that a copy could have been made and is still in the hands of the hackers. According to one lawsuit filed in California federal court, “ [Blackbaud] cannot reasonably maintain that the data thieves destroyed the subset copy simply because the defendant paid the ransom and the data thieves confirmed the copy was destroyed.” Blackbaud maintains the allegations in the lawsuits are without merit.

Lawsuit Filed Over Assured Imaging Ransomware Attack

Assured Imaging similarly suffered a ransomware attack in which patient data were stolen prior to the use of ransomware. The hackers first gained access to Assured Imaging’s systems on May 15, 2020 and deployed their ransomware on May 19, 2020. Notification letters sent to the 244,813 patients affected by the attack on August 26, 2020. While it has been confirmed that the attackers stole data, Assured Imaging was unable to determine what information was obtained.

The threat actors behind the attack later published a portion of data stolen in the attack in an attempt to pressure Assured Imaging into paying the ransom. The ransomware used in the attack was Pysa, aka Mespinoza.

A lawsuit has been filed in the US District Court of Arizona on behalf of plaintiffs Angela T. Travis, Kerri G. Peters, and Geraldine Pineda and others affected by the breach. The plaintiffs are represented by attorney Hart. L. Robinovitch of Zimmerman Reed.

The lawsuit alleges Assured Imaging maintained patient data “in a reckless manner” on a computer network that was vulnerable to cyberattacks and that there was a known risk of improper disclosure of PHI due to the lack of appropriate cybersecurity protections.

The lawsuit also alleges the failure to secure the network left patient data “in a dangerous condition” and that there was improper monitoring of its network, resulting in a delay in identifying the intrusion.

The lawsuit also alleges Assured Imaging was in breach of FTC guidelines and had failed to comply with the minimum industry standards for data security, such as applying security updates promptly, training the workforce, implementing appropriate policies and procedures with regard to data security, and the failure to encrypt data.

The lawsuit alleges patients face an increased risk of fraud and identity theft for many years to come as a result of the theft of their data and the actual or potential release of their information on the black market. Affected patients have also “suffered ascertainable losses in the form of disruption of medical services, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.

BJC Healthcare Facing Class Action Lawsuit over Phishing Attack

A lawsuit has been filed in the St. Louis Circuit Court over a March 2020 phishing attack on BJC Healthcare in which the personal and protected health information of 287,876 individuals was potentially compromised. The breach affected 19 hospitals associated with BJC Healthcare.

Three employees responded to phishing emails and disclosed their credentials and their email accounts were accessed by the attackers. BJC Healthcare claims the breach was detected the same day but could not determine whether any data in the email accounts were accessed or stolen by the attackers.

A lawsuit was filed by attorney Jack Garvey on behalf of BJC patient Brian Lee Bauer claiming BJC’s approach to patient privacy was negligent. The lawsuit alleges the health system failed to implement and follow basic security procedures which made the protected health information of its patients accessible to thieves. The lawsuit alleges BJC failed to encrypt – or did not sufficiently encrypt – patient data and that it failed to meet its data security obligations under HIPAA and the HITECH Act.

The lawsuit claims breach victims face an increased risk of identity theft and fraud and are “immediately and imminently in danger of sustaining some or further direct injury/injuries.” As a result of the breach, patients have incurred significant out-of-pocket costs related to the prevention, detection, recovery, and remediation from identity theft and fraud and that the breach “is taking a significant emotional and physical toll” on the individuals affected.

The post Slew of Lawsuits Filed Over Recent Healthcare Data Breaches appeared first on HIPAA Journal.

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days.

The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals.

CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule.

On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed CHSPSC’s information systems via its virtual private network (VPN) solution. CHSPSC failed to detect the intrusion and was notified by the Federal Bureau of Investigation on April 18, 2014 that its systems had been compromised.

During the time the hackers had access to CHSPSC systems, the ePHI of 6,121,158 individuals was exfiltrated. The data had been provided to CHSPSC through 237 covered entities that used CHSPSC’s services. The types of information stolen in the attack included the following data elements: name, sex, date of birth, phone number, social security number, email, ethnicity, and emergency contact information.

OCR launched an investigation into the breach and uncovered systemic noncompliance with the HIPAA Security Rule. While it may not always be possible to prevent cyberattacks by sophisticated threat actors, when an intrusion is detected action must be taken quickly to limit the harm caused. Despite being notified by the FBI in April 2014 that its systems had been compromised, the hackers remained active in its systems for 4 months, finally being eradicated in August 2014. During that time, CHSPSC failed to prevent unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the hackers continued to steal ePHI.

The failure to respond to a known security incident between April 18, 2014 and June 18, 2014 and mitigate harmful effects of the security breach, document the breach, and its outcome, was in violation of 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators found CHSPSC had failed to conduct an accurate and thorough security risk analysis to identify the risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical policies and procedures permitting access to information systems containing ePH maintained by CHSPSC only by authorized individuals and software programs had not been implemented, in violation of 45 C.F.R. § 164.312(a).

Procedures had not been implemented to ensure information system activity records such as logs and system security incident tracking reports were regularly reviewed, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D).

“The health care industry is a known target for hackers and cyberthieves.  The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino. A sizeable financial penalty was therefore appropriate.

CHSPSC chose not to contest the case and agreed to pay the financial penalty and settled with OCR. The settlement also requires CHSPSC to adopt a robust and extensive corrective action plan to address all areas of noncompliance, and CHSPSC will be closely monitored by OCR for 2 years.

The post Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures appeared first on HIPAA Journal.