Phishing Attack Results in $400,000 HIPAA Breach Fine

Written by Aldrin Brown
April 12, 2017

The payment by a Denver-based network of public health clinics marks the first settlement deal since shortly after the federal office responsible for HIPAA enforcement changed leadership in January.

A Denver, Colo.-area network of public health clinics paid a $400,000 HIPAA breach penalty after a phishing attack let a hacker gain access to employee email accounts and obtain electronic protected health information (ePHI) of 3,200 patients, federal authorities said today.

Metro Community Provider Network (MCPN) – which provides primary medical care, pharmacies, social work, dental and behavioral care to roughly 43,000 mostly poor patients – reported the breach in January of 2012.

Investigators from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) found that MCPN violated the HIPAA Security Rule by failing to do proper risk assessments or implement adequate cybersecurity measures and procedures.

“Specifically, MCPN has failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by MCPN,” OCR wrote in the official Resolution Agreement. “Further, MCPN has failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

Investigators indicated the financial component of the settlement might have been higher but OCR considered the public benefit of the services provided by the nonprofit.

MCPN is a federally qualified health center (FQHC), which means it receives government reimbursement for treating people with incomes at or below the poverty line.

“With this settlement amount, OCR considered MCPN’s status as a FQHC when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care,” OCR said in a statement today.

MCPN must also adhere to a corrective action plan.

The payment marks the first agreement in nearly two months, following three settlements totaling $11.4 million during the first six weeks of 2017.

That pause coincided with the transition in presidential administration and prompted some observers to question whether new OCR Director Roger Severino would continue an enforcement crackdown that began under his predecessor Jocelyn Samuels.

“Patients seeking health care trust that their providers will safeguard and protect their health information,” Severino said in today’s OCR statement. “Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

Compliance with the security and privacy rules of the Health Insurance Portability and Accountability Act has become increasingly important to IT services providers working in healthcare.

Though lucrative, the vertical also carries risks for managed service providers (MSPs), who are required to sign business associate agreements (BAAs) which expose them to liability in the event that ePHI is mishandled.

The MCPN settlement brings to $11.8 million the amount of HIPAA breach payments collected by OCR thus far this year.

Last year, the agency collected a record $23.5 million, up from $6.2 million in all of 2015.

Send tips and news to [email protected].