A South Florida hospital chain agreed to settle federal claims it allowed former employees to improperly access names, dates of birth and Social Security numbers of 80,000 people – some of which was later used in identity theft.

Aldrin Brown, Editor-in-Chief

February 17, 2017

2 Min Read
Poor Access Management Leads to 55 Million HIPAA Penalty

A Miami, Fla.-area nonprofit this week paid $5.5 million to settle a HIPAA case alleging that credentials of former employees were used to access electronic protected health information (ePHI) of 80,000 people – some of whom were later victims of identity theft.

South Broward Hospital District, which does business as Memorial Healthcare System (MHS), initially reported in April of 2012, that two former employees had improperly accessed ePHI.

The nonprofit hospital chain filed a follow-up case three months later, saying they had found evidence of additional breaches by 12 other employees who worked at affiliated physicians offices.

Investigators from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) determined that MHS failed to revoke access of former employees, failed to review logs and access records, and had inadequate policies for managing employee permissions to networks containing ePHI.

“Access to ePHI must be provided only to authorized users, including affiliated physician office staff,” Robinsue Frohboese, acting OCR director, said in a statement Thursday.

“Further, organizations must implement audit controls and review audit logs regularly,” the statement continued. “As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

IT service providers continue to strike gold working in the healthcare vertical. But the lucrative market also poses substantial risks for covered entities and authorized business associates – often third-party IT service providers – in the event ePHI is mishandled.

In the latest case, MHS reported their suspicion that as many as 105,646 individuals might have been affected, though OCR investigators ultimately placed the final tally at about 80,000.

Still, the impact was significant.

“Some of these instances led to federal charges relating to selling protected health information and filing fraudulent tax returns,” OCR investigators said in a document detailing terms of the settlement.

As part of the agreement, MHS also agreed to comply with a corrective action plan.

The $5.5 million payment is tied for the largest HIPAA breach penalty levied so far and marks a continuation of an enforcement crackdown that dates back to the start of last year.

OCR has collected $11.4 million so far in 2017.

That’s compared to $23.5 million last year, and just $6.2 million levied in all of 2015.


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like