Memorial Healthcare System in the region of South Florida is being hit with a massive fine as part of a resolution agreement from the OCR (Office for Civil Rights) of the Department of Health and Human Services.
The healthcare agency was cited for lapses in auditing worker access to protected health information, resulting in data breaches impacting 115,143 people. Now, the six-hospital delivery system has paid a $5.5 million massive fine to OCR as part of the resolution agreement to settle violations of the HIPAA privacy and security rules. The Memorial Healthcare System also has agreed to follow a corrective action plan to stop similar data breaches in the future.
The monetary fine is the 2nd largest ever levied by the agency, second merely to the $5.55 million penalty OCR levied previous August against Advocate Health Care for breach tragedies.
Few of the breached information were used to file fraudulent tax returns, OCR noted.
Enhanced OCR enforcement of HIPAA rules continues, and the size of fines for violations is increasing as well. Before the year of 2016, the last record for total fines that OCR levied in any year was $7.9 million; previous year, settlement payments hit $25.6 million.
In the contract that Memorial Healthcare System signed, OCR asserts employees at Memorial and an affiliated physician practice impermissibly accessed PHI. A former worker at the practice, for example, was provided access to PHI for more than a year.
“On the day of April 12, 2012, MHS submitted a breach report to HHS demonstrating that 2 MHS employees unsuitably accessed patient information, involving names, dates of birth and Social Security numbers,” according to OCR. “On the day of July 22, 2012, MHS submitted an extra addendum breach report to notify HHS that during its internal investigation, it discovered extra impermissible access by twelve users at affiliated physician offices. Few of these incidents led to federal charges related to selling protected health information and filing fraudulent tax returns.”
From the time period of January 2011 to June 2012, MHS failed to execute procedures to regularly review audit logs, access reports and security incident tracking reports, and the system further failed to oversee access authorization policies that develop, document, review and modify user rights of access, OCR charged.
Electronic protected health information must be given merely to authorized users, and “Organizations must execute audit controls and review audit logs regularly,” stated Robinsue Frohboese, acting director for OCR, in a statement declaring the sanctions.
In response to the OCR charges and settlement, Memorial Healthcare System released the following statement:
“Safeguarding health information of patient has always been a top priority at Memorial Healthcare System. More than 5 years ago, Memorial was notified that 2 workers were engaging in criminal conduct including theft of patient confidential information in the year of 2011. Memorial instantly terminated those people and started an in-depth internal investigation. During its investigation, Memorial discovered that people who worked in affiliated physicians’ offices had inappropriately accessed patient data by using legitimate log-in credentials of workers in those physicians’ offices.
“True to its culture of compliance and transparency, Memorial proactively reported the actions of the 2 employees and the findings of its internal investigation regarding the affiliated physicians’ staff to the Department of Health and Human Services’ Office of Civil Rights (OCR). It also simultaneously notified all sufferers who might have been affected and provided them with free credit monitoring. Memorial worked closely with law enforcement to help in their investigations, which finally led to federal prosecution and conviction of the criminals.
“Upon learning of the breaches, Memorial rapidly acted to execute new, sophisticated technologies developed to monitor use and access of patient data, further restricted access to protect patient data, and enacted new policies and processes to enhance password security. Memorial employed IBM, a global leader in cybersecurity, to give assessment, response, and monitoring services. IBM sustains to provide cybersecurity services to Memorial today. Memorial also hired an independent technology firm to conduct network audits and scans.
“Memorial’s February 2017 settlement with the OCR resolves entire allegations surrounding these breaches. While Memorial powerfully disagrees with several of OCR’s allegations, has admitted no liability and has opted to settle this case, it nevertheless agrees with the significance OCR places on maintaining the security of patient data.
“Memorial…will sustain to vigorously monitor access and use of patient data and maintain rigorous cybersecurity and internal safeguards.”
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment