A Denver healthcare provider has agreed to a $400,000 HIPAA settlement with the U.S. Department of Health and Human Services Office for Civil Rights.
The settlement stems from data breach allegations against Metro Community Provider Network (MCPN) from 2012. MCPN services around 43,000 patients each year, many of whom have incomes at or below poverty level.
According to a press release about the settlement, back in January 2012, MCPN filed a breach report with the OCR regarding a hacker who accessed employees’ email accounts and obtained 3,200 individuals’ electronic protected health information (ePHI) via a phishing incident.
“OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.”
Risk analysis, which is mandated as part of the HIPAA Security Rule, requires healthcare organizations to evaluate the likelihood and impact of potential risks to ePHI, and implement and document appropriate security measures.
“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly re-evaluates potential risks to e-PHI,” it says on the Health and Human Services website.
Along with the $400,000 payment, MCPN agreed to implement a corrective action plan. MCPN is a federally-qualified health center, which was a consideration when coming up with the settlement figure, according to the press release.
They wanted to balance the “significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care.”
Is your business covered for a data breach?