On December 5, 2024, the US Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) announced a civil monetary penalty of $548,265 against a Colorado hospital for violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The penalty follows breach reports in 2017 and 2020 related to email phishing attacks and cyberattacks.
The OCR investigation revealed that the first breach occurred due to the disabling of multifactor authentication on an email account, compromising 3,370 individuals’ protected health information (PHI). A second breach followed, involving the unauthorized access of three email accounts containing 10,840 individuals’ PHI. OCR found that workforce members had granted access to their accounts to unknown third parties.
In addition to the breaches, OCR found violations of the HIPAA Privacy Rule due to insufficient workforce training, and the HIPAA Security Rule for failing to conduct an adequate risk analysis to identify vulnerabilities to electronic PHI (ePHI).
In June 2024, OCR issued a Notice of Proposed Determination to impose the penalty, which the hospital did not contest, waiving its right to a hearing. As a result, the penalty of $548,265 was finalized.
OCR has issued the following recommendations for healthcare providers and business associates covered by HIPAA to protect against cyber threats and prevent future violations:
- Ensure business associate agreements are in place and include breach/security incident obligations.
- Regularly conduct and integrate risk analysis and risk management into business processes.
- Implement audit controls to track and review information system activity.
- Use multifactor authentication for secure access to ePHI.
- Encrypt ePHI to protect against unauthorized access.
- Train workforce members regularly and reinforce their role in safeguarding privacy and security.
Compliance Perspective
Issue
Phishing is a form of social engineering in which a cyber threat actor poses as a trustworthy colleague, acquaintance, or organization to lure a victim into providing sensitive information or network access. The lures can come in the form of an email, text message, or even a phone call. If successful, this technique could enable threat actors to gain initial access to a network and affect the targeted organization and related third parties. The result can be a data breach, data or service loss, identity fraud, malware infection, or ransomware. The healthcare sector is one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. The HIPAA Security Rule mandates that covered entities and their business associates conduct a risk assessment and implement security measures to protect against potential threats, including the introduction of malware and ransomware. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of HIPAA requirements.
Discussion Points
- Review policies and procedures related to HIPAA, the Security and Privacy rules, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA and the Security and Privacy rules, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure staff adherence to data integrity and security measures, and verify that the facility’s HIPAA, PHI, security, and privacy policies are being followed. Additionally, ensure that computers and other devices are regularly scanned and updated.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*
