Unauthorized access to ePHI on web server results in $875,000 settlement

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a settlement with a research university (“university”) that agreed to pay $875,000 to settle potential breaches of notification rules of privacy, security, and HIPAA violations, as well as to take remedial action after an unauthorized third party has gained access to a web server containing protected electronic health information (“ePHI”).

In January 2018, the University notified OCR of an ePHI breach that affected 279,865 people and occurred in November 2017. This breach occurred when a hacker gained access to a server web by downloading malware. The web server contained ePHIs, including patient names, Medicaid numbers, health care provider names, service dates, birth dates, addresses, and treatment information.

In addition to this breach, the University later reported that a hacker previously accessed the same web server as early as March 2016. The University did not report this breach at the time, as it was unaware that ePHI was stored on the web. server in 2016.

The OCR found indications that the University was not complying with a host of privacy, security and breach notification rules. These include:

  • Unauthorized Uses and Disclosures of PHI;
  • Failure to conduct an accurate and thorough risk analysis;
  • Failure to perform an assessment of the extent to which the Covered Entity’s security policies and procedures meet the requirements of the Security Rule;
  • Failure to implement auditing controls, security incident response and reporting; and
  • Failure to provide timely breach notification to affected individuals and HHS.

In addition to the $875,000 settlement, the University has agreed to comply with a corrective action plan (“CAP”) for a period of two years. The CAP includes obligations to:

  • Perform a full risk analysis of all security threats that may involve ePHI;
  • Create a risk management plan based on the results of the risk analysis;
  • Develop, maintain, and distribute policies and procedures to comply with federal standards that govern privacy and security of PHI;
  • Report any non-compliance with policies and procedures to OCR after training all staff; and
  • Appoint a person or entity to monitor CAP compliance.

Practical dishes

As a result of this regulation, covered entities should consider the following:

  • A risk analysis must be conducted by a covered entity to discover security threats and vulnerabilities of all ePHI created, received, maintained or transmitted by the entity. The results of the risk analysis should be addressed through a risk management plan to mitigate the security threats and vulnerabilities identified in the risk analysis.
  • Additionally, data governance is critical to the proactive management of ePHIs. HIPAA-covered entities accumulate data considered ePHI from a number of disparate sources, and not all sources of ePHI may be properly identified and categorized by the covered entity. Good data governance practices help ensure that the Covered Entity understands where ePHI is located on its systems and can properly assess security incidents as potential breaches of ePHI, if any.
  • Covered Entities must have a process for regularly auditing PHI Uses and Disclosures to ensure unauthorized uses and disclosures are detected and reported in accordance with HIPAA requirements.
  • Covered entities, regardless of size, must have policies and procedures in place to comply with privacy, security, and HIPAA breach notification requirements. It is especially important to address ePHI threats and vulnerabilities.

Comments are closed.