Poor Access Management Leads to $5.5 Million HIPAA Penalty

A Miami, Fla.-area nonprofit this week paid $5.5 million to settle a HIPAA case alleging that credentials of former employees were used to access electronic protected health information (ePHI) of 80,000 people – some of whom were later victims of identity theft.

South Broward Hospital District, which does business as Memorial Healthcare System (MHS), initially reported in April of 2012, that two former employees had improperly accessed ePHI.

The nonprofit hospital chain filed a follow-up case three months later, saying they had found evidence of additional breaches by 12 other employees who worked at affiliated physicians offices.

Investigators from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) determined that MHS failed to revoke access of former employees, failed to review logs and access records, and had inadequate policies for managing employee permissions to networks containing ePHI.

“Access to ePHI must be provided only to authorized users, including affiliated physician office staff,” Robinsue Frohboese, acting OCR director, said in a statement Thursday.

“Further, organizations must implement audit controls and review audit logs regularly,” the statement continued. “As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

IT service providers continue to strike gold working in the healthcare vertical. But the lucrative market also poses substantial risks for covered entities and authorized business associates – often third-party IT service providers – in the event ePHI is mishandled.

In the latest case, MHS reported their suspicion that as many as 105,646 individuals might have been affected, though OCR investigators ultimately placed the final tally at about 80,000.

Still, the impact was significant.

“Some of these instances led to federal charges relating to selling protected health information and filing fraudulent tax returns,” OCR investigators said in a document detailing terms of the settlement.

As part of the agreement, MHS also agreed to comply with a corrective action plan.

The $5.5 million payment is tied for the largest HIPAA breach penalty levied so far and marks a continuation of an enforcement crackdown that dates back to the start of last year.

OCR has collected $11.4 million so far in 2017.

That’s compared to $23.5 million last year, and just $6.2 million levied in all of 2015.

Send tips and news to [email protected].