Failing to Examine Risks Leads to Data Breach and Hefty Settlement Payout


By: Melissa Santalone

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has announced a $400,000 settlement with Metro Community Provider Network (MCPN), a Federally Qualified Health Center providing primary medical care and other health-related services in the Denver area, of an alleged HIPAA violation which resulted in a data breach due to a 2012 phishing scam. On January 27, 2012, MCPN filed a breach report with the OCR indicating that a hacker had used phishing emails to access employee email accounts, resulting in the compromise of electronic protected health information (ePHI) of 3,200 individuals. The OCR’s investigation of the breach revealed that MCPN had never conducted a security risk analysis of the vulnerabilities of the confidentiality, integrity, and availability of its ePHI prior to the discovery of the breach in violation of HIPAA. Further, once it did do a risk analysis, MCPN failed to do one sufficient to satisfy the HIPAA Security Rule. As part of the settlement, in addition to paying out a fine of $400,000, MCPN has agreed to implement a corrective action plan that requires it to conduct a comprehensive risk analysis and submit a written report to the OCR. Following the risk assessment, MCPN must also develop and enact an organization-wide risk management plan, including reviewing and revising its security policies and procedures and training materials.

This settlement highlights the importance of conducting regular, thorough risk analyses for all organizations subject to the requirements of HIPAA.  According to the OCR Guidance, which may be found here, a thorough risk analysis may involve:

  • Identification of the variety of ePHI an organization creates, collects, maintains, or transmits;
  • Identification of the location(s) where ePHI is stored;
  • Identification and documentation of threats to and vulnerabilities to ePHI;
  • Assessment of current security measures;
  • Assessment of the potential impact of the threat(s);
  • Assessment of the level of risk;
  • Documentation of the overall analysis.

While MCPN failed to do one at all until after it suffered a breach, the belief that doing one is enough is not uncommon. The OCR Guidance on this topic suggests periodic review. Significant changes in organizational structure or size or the implementation of new technology need to equate to updated risk assessments. If you need assistance with your HIPAA risk assessments, FMG’s Cyber Liability, Data Security & Privacy group is here to help.