Botched Server Install Results in $2.14 Million HIPAA Breach Fine

Failure to change a default setting on a new server caused private patient information to be publicly accessible over the Internet for an entire year.

Aldrin Brown, Editor-in-Chief

October 19, 2016

2 Min Read
Botched Server Install Results in 214 Million HIPAA Breach Fine

A Catholic health care system has agreed to pay $2.14 million to settle claims it failed to change the default settings after installing a new server, allowing public access to the private health records of 31,800 patients.

St. Joseph Health – which operates hospitals, community clinics, nursing facilities and provides a range of other health care services – agreed it was in potential violation of security rules of the Health Insurance Portability and Accountability Act (HIPAA).

The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) opened an investigation on Feb. 14, 2012, after St. Joseph Health reported that files containing electronic protected health information (ePHI) had been publicly accessible via Google and other browsers during the entire preceding year.

“The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an Internet connection to access them,” OCR said in an Oct. 17 statement announcing the settlement.

“Upon implementation of this server and the file sharing application, SJH did not examine or modify it,” the statement continued. “As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.”

Federal investigators determined the health care nonprofit failed to coduct a thorough evaluation of the environmental and operational implications of installing the new server.

Also, multiple contractors hired by St. Joseph to assess risks and vulnerabilities of ePHI were brought on in a patchwork fashion that did not result in the enterprise-wide risk analysis required by HIPAA.

“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” OCR Director Jocelyn Samuels said in a statement. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”

In addition to the financial payment, St. Joseph Health agreed to a corrective action plan that includes a thorough risk analysis, implementation of a risk management plan and staff training.

The $2.14 million penalty brings the total amount of settlements for HIPAA security violations to $22.84 million this year, up sharply from $6.2 million in all of 2015.


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like