- UPDATE: Memorial Healthcare System sent comments to HealthITSecurity.com on February 17.
Florida-based Memorial Healthcare Systems (MHS) recently agreed to a $5.5 million OCR HIPAA settlement, stemming from incidents that were reported in 2012. OCR stated that a lack of audit controls was a major factor in the determined settlement.
A PHI data breach was first reported to OCR on April 12, 2012, where MHS employees inappropriately accessed patient information, including names, dates of birth, and Social Security numbers. An additional report was sent a few months later, after MHS found that further impermissible access had occurred.
In the second incident, 105,646 individuals had their information accessed. Furthermore, some information was then sold to file fraudulent tax returns.
An HHS investigation found that 80,000 individuals’ PHI was disclosed when MHS gave a former employee of an affiliated physician practice access to the data from April 1, 2011, to April 27, 2012.
Additionally, “MHS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports,” from January 1, 2011 to June 1, 2012. In that same time frame, MHS also did not implement necessary policies and procedures to “establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.”
OCR Acting Director Robinsue Frohboese said in a statement that it is essential for ePHI access to only be provided to authorized users, which includes affiliated physician office staff members.
“Further, organizations must implement audit controls and review audit logs regularly,” Frohboese maintained. “As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”
Per the HHS corrective action plan, MHS must complete a risk analysis and risk management plan, which includes adhering to the following:
- All identified risks and vulnerabilities identified at MHS related to enterprise-wide PHI security
- Evidence that MHS has implemented and maintains a risk management plan to address such risks and vulnerabilities or dates of expected implementation
- Evidence of implementation or evidence of efforts towards implementation of security measures or other safeguards identified in the risk management plan to address identified risk and vulnerabilities.
MHS policies and procedures related to information system activity must also be updated. This includes the regular review of audit logs, access reports, and security incident tracking reports.
Protocols for access to MHS's e-PHI by affiliated physicians, their practices, and their employees also need to be revised. MHS policies and procedures related to overall risk analysis and management must be updated as well.
The updated policies and procedures need to be properly distributed to all MHS workforce members, including business associates and affiliated physician practice members.
MHS internal monitoring, external assessments, and internal reporting must also be revised, according to HHS. A key part of this is to ensure that all workforce members with ePHI access are adhering to HIPAA regulations.
“MHS shall require all members of its workforce who have access to ePHI to report to the CR at the earliest possible time any violation of MHS' s policies and procedures related to the HIPAA Rules of which they become aware,” the corrective action plan read. “Pursuant to the Internal Reporting Procedure, whenever MHS or the CR learns that a member of its workforce may have violated MHS 's policies and procedures related to the HIPAA Rules, the CR, with the full cooperation of MHS, shall promptly investigate the allegations raised and shall document each investigation in writing.”
Audit controls has already been a key OCR focus this year, as the agency discussed the necessity of audit controls in its January cybersecurity newsletter.
OCR explained that reviewing and securing audit trails, while also ensuring the proper tools to collect, monitor, and review those audit trails are in place are key audit control considerations for covered entities and business associates.
“When determining reasonable and appropriate audit controls for information systems containing or using ePHI, Covered Entities and Business Associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities,” OCR wrote in the newsletter.
UPDATE: On February 17, 2017, an MHS spokesperson emailed comments to HealthITSecurity.com:
"It’s important to put this settlement in perspective to the fact that this situation happened six years ago, and that Memorial Healthcare System proactively reported the actions of the two employees and the findings of its internal investigation regarding the affiliated physicians’ staff to the Department of Health and Human Services’ Office of Civil Rights (OCR). It also simultaneously notified all patients who may have been affected and provided them with free credit-monitoring. Memorial worked closely with law enforcement to assist in their investigations, which ultimately led to federal prosecution and conviction of the criminals.
Upon learning of the breaches, Memorial quickly acted to implement new, sophisticated technologies designed to monitor use and access of patient data, further restricted access to protect patient information, and enacted new policies and procedures to enhance password security. Memorial hired IBM, a global leader in cybersecurity, to provide assessment, response, and monitoring services. IBM continues to provide cybersecurity services to Memorial today. Memorial also hired an independent technology firm to conduct network audits and scans.
Memorial’s February 2017 settlement with the OCR resolves all allegations surrounding these breaches. While Memorial strongly disagrees with many of OCR’s allegations, has admitted no liability and has chosen to settle this case, it nevertheless agrees with the importance OCR places on maintaining the security of patient information.
Safeguarding patients’ health information has always been a top priority at Memorial Healthcare System. We will continue to vigorously monitor access and use of patient information and maintain rigorous cybersecurity and internal safeguards."