HIPAA Enforcement Actions – A look back at 2016
By Edwin Smith and Wakaba Tessier on
According to the most recent data provided by the U.S. Department of Health & Human Services, there are currently 3,427 open complaints regarding possible health information privacy violations. Below is a look back at four noteworthy HIPAA breaches that occurred in 2016.
Lack of Process Controls
St. Joseph Health reported to the Office for Civil Rights (OCR) that files containing protected health information (PHI) were publicly available from February 2011 until February 2012. Specifically, PHI was accessible through various search engines, including Google, because the file-sharing application used to store and accumulate the data was placed on a default setting that allowed all Internet users to gain access to the data. OCR found the following violations:
- the accidental disclosure of PHI for 31,800 people;
- the failure of St. Joseph to conduct an environmental and operational evaluation in the implementation of the subject server; and
- Joseph’s assessment of risks associated to the security of the PHI did not meet the standards set out by the HIPAA Security Rule.
On October 13, 2016, after four years of investigation and negotiation, St. Joseph Health and OCR agreed to a $2.14-million settlement. Furthermore, the parties established a corrective action plan, which set forth revised policies regarding implementation of risk analysis, management plans, and training procedures.
Hybrid Model Woes
On November 14, 2016, the University of Massachusetts (UMASS) Amherst Center for Language, Speech, and Hearing settled its dispute with OCR for $650,000. UMASS was the victim of a malware infection that resulted in the impermissible disclosure of PHI belonging to 1,761 people. Due to UMASS’ lack of firewall protection, the Trojan malware was able to gain remote access to UMass’ system and access sensitive information. This data included names of individuals, Social Security information, diagnoses, and procedure codes of those infected.