Yet another data breach of sensitive information involving a healthcare organization has highlighted the extreme need for security risk management amongst those at-risk facilities and organizations with the most liabilities to mitigate. An October18, 2016 press release from HHS.gov (Dept. of Health and Human Services) related the details of the incident, which has cost St. Joseph Health $2.14 million in HIPAA fines due to lack of appropriate data security measures and failing to meet HIPAA compliance standards.
The HIPAA Violation Details from HHS
On February 14, 2012, St. Joseph Health (SJH) of Irvine, CA, reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that certain files it created for its participation in the Meaningful Use Program, which contained electronic protected health information (ePHI), were publicly accessible on the internet from February 2011 until February 2012, via Google and possibly other internet search engines. The server purchased by SJH to store the files included a file sharing application with default settings that allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH failed to examine or modify it. Consequently, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.
St. Joseph Health has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following the report that files containing ePHI were publicly accessible through internet search engines from 2011 until 2012. SJH, a nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan. SJH’s range of services includes 14 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations throughout California and in parts of Texas and New Mexico.
“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” said OCR Director Jocelyn Samuels. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”
In addition to the $2,140,500 settlement levied against it, SJH has agreed to a corrective action plan that requires the organization to:
- Conduct an enterprise-wide risk analysis
- Develop and implement a risk management plan
- Revise its information security policies and procedures, and
- Adequately train its staff on these policies and procedures.
The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sjh.
Get Better Information Security Management Now
If you require a consultation on getting better IT and data security risk management tools and policies in place for your organization, then you’ll want to speak to an IT consultant at {company}, which is a leader in IT security and services. Call us at {phone}, or email us at {email} today for more information.