Phishing Incident Leads to $400,000 HIPAA Settlement

HIPAA Enforcement Agency Cites Lack of Timely Risk Analysis, Again

Colorado-based Metro Community Provider Network is just another healthcare entity to learn a painful lesson from the Department of Health and Human Services Office for Civil Rights regarding the importance of conducting a timely and comprehensive risk assessment.

The breach was reported in early 2012 after a hacker accessed employees’ email accounts and obtained 3,200 individuals’ electronic PHI through a phishing scam.

The OCR found that MCPN took necessary corrective action related to the phishing incident, but MCPN had failed to conduct a risk analysis until mid-February 2012 – about a month after they reported the breach.

According to the OCR “Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.” When MCPN finally conducted a risk analysis, that study, as well as all subsequent risk analyses, did not meet the requirements of the HIPAA security rule.

“As we have seen in the past, the investigation focused on the failure of conducting an enterprise wide information security risk analysis and implementing a risk management plan to address the vulnerabilities found by the assessment.”

The lack of a timely, comprehensive, and enterprise-wide risk analysis – as well as failure to follow up with mitigation remedies to address risks identified in the assessments – have been a recurring theme in most of OCR’s 47 HIPAA enforcement actions related to breach investigations since 2008.

The OCR continues to view a good risk analysis as foundational to HIPAA Security Rule compliance as almost all breaches lead OCR to identifying a lack of risk analysis and risk management.

In its statement about MCPN, OCR implies that the $400,000 settlement amount in that case also might’ve been higher. However, OCR notes it “considered MCPN’s status as a federally-qualified health center when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care.”

MCPN Corrective Action Plan

In its corrective action plan with OCR, MCPN agreed to take a number of steps to bolster its security practices, including:

  • Conducting a comprehensive and thorough risk analysis of security risks and vulnerabilities that includes systems at all current MCPN facilities;
  • Developing an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
  • Reviewing, and if necessary, revising, its current HIPAA security rule policies and procedures based on the findings of the risk analysis;
  • Providing its workforce with revised training materials based on any revisions to its policies and procedures as a result of the MCPN risk analysis findings.

Lessons to Learn

The biggest lessons emerging from OCR’s latest HIPAA settlement is to conduct a risk assessment; and do the best you reasonably can, before, during and after an incident.

Looking Ahead

We can expect that OCR will issue several future resolution agreements involving organizations that have suffered breaches that are as a result of phishing scams or other cybersecurity incidents.

OCR’s records show that the number of breaches caused by these types of incidents has increased dramatically over the last few years. Regardless of the cause of a breach a fine or penalty is more likely to be levied when OCR’s investigation finds that the root cause of the hacking incident was that the organization had not performed an adequate risk analysis prior to the occurrence of the breach.

If you have questions about risk assessments or phishing prevention training call ITPAC today.