$2 Million HIPAA Penalty After Patient Data Exposed on WebEnforcement Agency Says Health System Made Multiple Missteps
In the twelfth HIPAA enforcement action so far this year, federal regulators have smacked St. Joseph Health System with a $2.14 million penalty after investigating a breach that left protected health information of nearly 32,000 individuals exposed to internet searches for more than a year.
Jocelyn Samuels , director of the Department of Health and Human Service' Office for Civil Rights, says in a statement the case highlights several important issues related to managing risk.
"Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI," Samuels said. "The HIPAA Security Rule's specific requirements to address environmental and operational changes are critical for the protection of patient information."
In addition to its settlement with OCR, California-based St. Joseph Health in March agreed to a $28 million settlement to resolve a class action lawsuit stemming from the same breach.
Some experts say the breach incident that led to OCR's investigation was particularly egregious.
"The size of the financial penalty will always be higher when in the course of investigating a breach, OCR determines that the HIPAA security risk assessment requirements have not been met," says Dan Berger, CEO of security consulting firm Redspin.
"There is a logical assumption that the breach may have been avoided had a proper risk assessment been conducted. An inadequate policy, an improper server setting, or even an unlocked door can all lead to a breach of ePHI, which, in turn, prompts an investigation and a potentially severe punitive enforcement action," he says. "Another reason for the hefty fine [against St. Joseph Health] may be because the information was publicly accessible on the internet for over a year."
The St. Joseph Health is a reminder to organizations that breaches "can have a real impact on their bottom line, says healthcare attorney Elizabeth Hodge of the law firm Akerman LLP.
On Feb. 14, 2012, St Joseph Health reported to HHS that certain files containing electronic PHI were publicly accessible on the internet from Feb. 1, 2011, until Feb. 13, 2012, via Google and possibly other internet search engines.
The files had been created for St. Joseph Health's participation in the HITECH Act electronic health record meaningful use incentive program, OCR says. But the server St. Joseph Health purchased to store the files included a file sharing application with default settings that allowed anyone with an internet connection to access them, the agency says.
"Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses and demographic information," OCR notes.
In addition, OCR says its investigation found that although St. Joseph Health hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the healthcare provider, "evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprisewide risk analysis, as required by the HIPAA Security Rule."
Corrective Action Plan
As part of the resolution agreement, St. Joseph Health has agreed to a corrective action plan that requires the organization to conduct an enterprisewide risk analysis, develop and implement a risk management plan, revise its policies and procedures and train its staff on these policies and procedures.
"The main lesson on this is how important it is to have a broad, well-considered, overall risk assessment that really focuses on identifying your security risks and then - in the follow-up step - managing those risks," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "I'm not entirely sure why this settlement was a bigger amount, other than that the 'problem' that resulted may have been worse - public exposure - than many others."
The St. Joseph Health settlement offers up other important reminders to other covered entities and business associates, Berger says.
"While this should go without saying, always change the default settings or default passwords on any new network devices, critical systems or applications that are installed on the network," he says. "It is surprising how often we find default credentials still in use during our HIPAA security risk analysis engagements."
In a statement provided to Information Security Media Group, a St. Joseph Health spokeswoman says: "St. Joseph Health is pleased that we could come to a settlement on this issue and we deeply regret any undue concern to our patients. The facts to remember about this case are that data did not include Social Security [numbers], addresses or financial data. Additionally, there is no indication that the information was used by unauthorized persons. Since the situation was discovered , we have invested in a number of initiatives to ensure the continued security of patient data, including $17 million in enhanced data security infrastructure. These measures and more are intended to provide for the safety and security of our patients' information."
Ramped Up Enforcement
The twelfth OCR settlement in 2016 reflects ramped up enforcement activities at OCR, with a record number of settlements with covered entities and business associates so far in 2016, Samuels noted during her Oct. 19 opening address at a HIPAA Summit hosted by OCR and the National Institute of Standards and Technology.
So far in 2016, OCR has issued both its largest and smallest settlement to date, she added.
The largest was a $5.5 million settlement in August with Advocate Health Care over three 2013 breaches, including an incident involving the theft of four unencrypted computers, which affected 4 million individuals. The smallest was OCR's $25,000 settlement in March with Complete P.T., Pool & Land Physical Therapy Inc., which came after an investigation following an August 2012 complaint alleging that the organization was disclosing PHI on its website for marketing purposes.
"Monetary relief that we seek is designed to ensure that entities take their obligations under HIPAA seriously," she said. "Corrective action plans are core of what we seek ... to ensure that problems can be corrected moving forward."
Factors That OCR Weighs
OCR considers several factors in determining financial settlements stemming from breach investigations, Samuels noted. Those include the number of individuals affected, the egregiousness of the situation, the duration of noncompliance and the mitigation steps taken. Also, OCR attempts to avoid setting payment amounts so high that they would endanger an entity's ability to provide healthcare services or coverage, she adds.
Samuels hinted in her presentation of more enforcement actions to come. "I know you've heard of larger breaches that occurred last year," she said. "We are working to address those, and we may have more information to report in the future."
"I expect that OCR will continue its increased enforcement activity for the foreseeable future, including additional resolution agreements through the rest of 2016 and into 2017," says Hodge, the attorney.
Additionally, OCR recently announced that it will investigate more reported breaches involving fewer than 500 individuals, which will lead to more resolution agreements, Hodge notes (see Details Behind HHS Breach Investigation Ramp-Up). "The agency is also in the midst of Phase 2 of the HIPAA audits, which could result in enforcement activity in certain circumstances." (See OCR: Business Associate HIPAA Audits Coming Soon).