On February 2, 2023, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with a nonprofit health system headquartered in Phoenix, Arizona, to resolve a data breach resulting from a 2016 hacking incident which disclosed the protected health information (PHI) of 2.81 million consumers. The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information (ePHI) across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyberattack, failure to implement an authentication process to safeguard its ePHI, and failure to have security measures in place to protect ePHI from unauthorized access when it was being transmitted electronically.
As a result, the health system paid $1,250,000 to OCR and agreed to implement a corrective action plan, which identifies steps the health system will take to resolve these potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and protect the security of ePHI.
In November 2016, OCR initiated an investigation of the health system following the receipt of a breach report stating that a threat actor had gained unauthorized access to ePHI, potentially affecting millions. The hacker accessed PHI that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.
The health system is one of the largest nonprofit health systems in the country, with over 50,000 employees and operating in six states. It is the largest employer in Arizona, and one of the largest in northern Colorado. OCR’s investigation found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across the organization, which they said was a serious concern, given its size.
In addition to the monetary settlement, the health system will take steps under a comprehensive corrective action plan that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. The health system has agreed to:
- Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
- Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect ePHI from unauthorized access when it is being transmitted electronically.
- Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.
Compliance Perspective
Issue
Cybersecurity incidents and data breaches continue to increase across all sectors. Seventy-four percent of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the healthcare sector, hacking is now the greatest threat to the privacy and security of PHI. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard PHI.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed. Also audit to make sure computers and other devices are regularly scanned and updated.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*