- A health care delivery system recently agreed to an OCR HIPAA settlement following reports that it had publicly accessible files containing ePHI from 2011 to 2012.
St. Joseph Health (SJH) notified OCR on February 14, 2012 that certain files containing ePHI were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.
SJH will pay approximately $2,140,500 million as part of its settlement, and must also adopt a corrective action plan, according to an OCR statement.
The information reportedly became accessible to the public when SJH bought a new server to store its files. The server had a file sharing application with a default setting that allowed anyone with internet access the ability to access the files.
OCR found that SJH failed to examine or modify the server after it was implemented. Therefore, SJH potentially disclosed the PHI of 31,800 individuals.
“Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI,” OCR explained.
SJH also did not conduct an “enterprise-wide risk analysis.” Instead, the health system had contractors assess potential risks and vulnerabilities to ePHI in a “patchwork fashion.”
“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” OCR Director Jocelyn Samuels said in a statement. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”
Per the corrective action plan, SJH must conduct an enterprise-wide risk analysis. This will include a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI.
Furthermore, a risk management plan will be developed and implemented. All appropriate SJH workforce members will also need to be properly trained on all necessary policies and procedures. These individuals will then need to certify that they have received the training.
A similar OCR HIPAA settlement was reached earlier this year with the University of Mississippi Medical Center (UMMC).
In that case, UMMC was found to have committed multiple HIPAA violations. OCR determined that in one of those cases, “ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password.” Approximately 10,000 patients had their ePHI on the directory, dating back to 2008.
The UMMC data breach was first reported though when its privacy officer realized that a password-protected laptop was missing from the medical intensive care unit. The subsequent OCR investigation found that the UMMC network drive was in fact vulnerable.
UMMC must conduct a comprehensive risk analysis and then implement a corresponding risk management plan that will need to evaluate and address “any weaknesses in the UM organizational structure (including staff qualifications and authority) responsible for overseeing UM’s compliance with the HIPAA Rules.”