A new HIPAA fine has been released, and it’s significant. Federal regulators have issued one of the largest HIPAA settlements ever in favor of 521 impacted individuals over Massachusetts-based healthcare organization Fresenius Medical Care (FMCNA). Cited specifically for a lack of risk analysis, FMNCA now ranks among one of the costliest HIPAA penalties issued, paying out $3.5 million to affected individuals.
Fresenius first reported the breach on January 21, 2013. Data exposed included patient names, addresses, dates of birth, telephone numbers, insurance information and even some social security numbers. FMNCA committed an all too common theme among HIPAA violations, failure to conduct a thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its electronic protected health information (ePHI).
FMNCA’s role in this settlement occurred over the course of five separate incidents involving lost or stolen technology. While no event leaked more than 250 individuals (half of the amount which mandates a leak be presented to Department of Health and Human Services), the accrued total between the five events put FMNCA into trouble and resulted in them reaching the top five costliest settlements concerning a violation of HIPAA compliance.
The largest settlements to date:
Advocate Health Care Network: $5.55 million
Penalized for the theft of four desktop computers containing ePHI of approximately 4 million patients. Advocate was found to have failed to fully assess potential risks to its patient data, failure to apply proper security procedures, failure to implement physical controls at a large data support center and failure to obtain security agreements with its business associates.
Memorial Healthcare System: $5.5 million
MHS was penalized after a breach that affected 115,143 individuals after Memorial employees impermissibly accessed disclosed information to an affiliated physician office staff. While Memorial had workforce access policies in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating user’s right of access, as required by HIPAA rules.
New York-Presbyterian Hospital and Columbia University: $4.8 million
Penalized after a breach, the source of the breach came when a physician employed by the university attempted to deactivate a personally owned computer server on the network and because of lacking technical safeguards, ePHI was made accessible on internet search engines.
Cignet Health of Prince George County: $4.3 million
After failing to provide individuals with copies of their medical records for over a year, Cignet exceeded the maximum 60-day limit and the Office for Civil Rights (OCR) penalized them heavily.
Fresenius Medical Care North America: $3.5 million
All penalized parties were also required to undergo substantive corrective action plans.
A Shift in OCR Watchdogging
Unlike the top four contenders for costliest settlement, the FMNCA settlement illustrates that a breach doesn’t need to affect millions of individuals to get attention from the OCR. The settlement indicates that FMNCA was found guilty of a systemic failure to apply basic safeguards to protect ePHI. Not only had Fresenius failed to conduct information security risk analysis and risk management plans to address vulnerabilities that were found in their initial assessment, they neglected to protect workstations and portable devices in which ePHI was stored.
This case is a landmark for HIPAA protections as it illustrates that the size of a breach is irrelevant to the penalty for mishandling ePHI and that any organization which fails to meet HIPAA compliance will be penalized to the fullest extent of the law. As the OCR tightens the reigns of HIPAA compliance, supervision and penalization, it’s important for healthcare facilities to carefully review their operating procedures to ensure the safe handling of patient information.
As stated in the HIPAA guidelines, all healthcare organizations are responsible for detecting and managing their own security operations and procedures. If found lacking, government watchdogs like the OCR will not politely negotiate an update, they will take legal action on behalf of the impacted individuals whose records are vulnerable. No one can help you locate security vulnerabilities if you don’t hire them yourself.
While you can rely on auditing and compliance software to stay up-to-date with security protection, the risk of violation is too great to accept the bare minimum. With all these moving parts, it helps to secure a singular solution that will check all your bases. While creating network security and usage protocols may look good on paper, your organization must be 100% certain that you’re protecting end users whose data you hold. If IT infrastructure is out of your scope of knowledge, leverage help from experts. To ensure complete protection, consider employing BAI’s Managed Security Services. Our wide-ranging services will allow you to:
- Identify vulnerabilities like unpatched software or insecure configurations
- Discover all IP-enabled assets on your network
- Collect, normalize and correlate security events across a myriad of existing security products and tools
- Detect network scans and malware like botnets, Trojans and rootkits
- Receive immediate incident response reports with built-in remediation guidance for every alert
- Generate accurate compliance reports for PCI DSS, GLBA, HIPAA and more
Do more for your patients and your organization with a thorough, strategic solution for managing sensitive ePHI. It’ll save you a lot of heartache down the road, we promise you that.