Memorial Healthcare System pays $5.5M HIPAA settlement

Hollywood, Fla.-based Memorial Healthcare System agreed to implement a corrective action plan and paid HHS $5.5 million to settle claims it violated HIPAA.

MHS reported to HHS that unauthorized employees had accessed the protected health information of 115,143 individuals and disclosed it to affiliated physician office staff. The accessed data included patients' names, Social Security numbers and dates of birth.

Additionally, between April 2011 and April 2012, the login information of a former employee of an affiliated physician's office was used to access patients' information. The act affected 80,000 individuals.

HHS claims that although MHS had employee access policies in place, it failed to implement them. MHS also did not regularly review records of information system activity despite having identified the risks affiliated with it.

"Access to [electronic protected health information] must be provided only to authorized users, including affiliated physician office staff," said Robinsue Frohboese, acting director of HHS' Office for Civil Rights. "Further, organizations must implement audit controls and review audit logs regularly."

Kerting Baldwin, administrative director of corporate communications for Memorial Healthcare System, provided Becker's Hospital Review with the following statement:

"Safeguarding patients' health information has always been a top priority at Memorial Healthcare System. More than five years ago, Memorial was notified that two employees were engaging in criminal conduct involving theft of patient confidential information in 2011. Memorial immediately terminated those individuals and launched an in-depth internal investigation. During its investigation, Memorial discovered that individuals who worked in affiliated physicians' offices had inappropriately accessed patient information by using legitimate login credentials of employees in those physicians' offices. 

"True to its culture of compliance and transparency, Memorial proactively reported the actions of the two employees and the findings of its internal investigation regarding the affiliated physicians’ staff to HHS' OCR. It also simultaneously notified all patients who may have been affected and provided them with free credit monitoring. Memorial worked closely with law enforcement to assist in their investigations, which ultimately led to federal prosecution and conviction of the criminals.

"Upon learning of the breaches, Memorial quickly acted to implement new, sophisticated technologies designed to monitor use and access of patient data, further restricted access to protect patient information, and enacted new policies and procedures to enhance password security. Memorial hired IBM, a global leader in cybersecurity, to provide assessment, response, and monitoring services. IBM continues to provide cybersecurity services to Memorial today. Memorial also hired an independent technology firm to conduct network audits and scans.

"Memorial's February 2017 settlement with the OCR resolves all allegations surrounding these breaches. While Memorial strongly disagrees with many of OCR’s allegations, has admitted no liability and has chosen to settle this case, it nevertheless agrees with the importance OCR places on maintaining the security of patient information. 

Memorial takes its responsibility to safeguard its patients’ confidential information very seriously. Memorial will continue to vigorously monitor access and use of patient information and maintain rigorous cybersecurity and internal safeguards."

Editor's note: This article was updated Feb. 17 at 4:00 p.m. CT to include the statement attributed to Ms. Baldwin.

More articles on health IT:
CommonWell Health Alliance is 1st national network to use FHIR specifications
Physitrack, drchrono join forces for patient engagement effort
UPMC, Microsoft partner to reduce physicians' electronic paperwork burden 

© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months