Misuse of Former Employee’s Login Credentials Leads to $5.5 Million HIPAA Settlement

Compensation Management News

State:

Category

Topic

Date Range (optional)

From:

Open the calendar popup.

To:

Open the calendar popup.

Free Special Resources

Get Your FREE Special Report. Download Any One Of These FREE Special Resources, Instantly!

Featured Special Report

Claim Your Free Cost Per Hire Calculator

This handy calculator lets you plug in your expenses for recruiting, benefits, salaries, and more.

Graphs automatically generate to show you your annual cost per hire and a breakdown of where you are spending the most money.

Download Now!

March 01, 2017

Misuse of Former Employee’s Login Credentials Leads to $5.5 Million HIPAA Settlement

Memorial Healthcare Systems (MHS) has paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. MHS has also agreed to implement a robust corrective action plan. MHS is a nonprofit corporation which operates six hospitals and ancillary health care facilities throughout southern Florida.

For a Limited Time receive a FREE Compensation Market Analysis Report! Find out how much you should be paying to attract and retain the best applicants and employees, with customized information for your industry, location, and job. Get Your Report Now!

HIPAA folder MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth, and Social Security numbers.

The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis, without detection, from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying, and/or terminating users’ right of access, as required by the HIPAA Rules.

Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

“Access to ePHI must be provided only to authorized users, including affiliated physician office staff” said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights, quoted in a press release. “Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

View all resources on Health Insurance Privacy (HIPAA)

Featured Free Resource:

Cost Per Hire Calculator

Email Address

Important: The email you enter is not public,
shared in anyway, or displayed on this site.

* *

Re-enter Email Address

* *

First Name

Last Name

BLR, a division of Simplify Compliance LLC

5511 Virginia Way, Suite 150

Brentwood, TN 37027

800-727-5257

HCMNPWS1

Copyright © 2024 Business & Legal Resources. All rights reserved. 800-727-5257
This document was published on https://Compensation.BLR.com
Document URL: https://compensation.blr.com/Compensation-news/Benefits-Administration/HIPAA-Health-Information-Privacy/Misuse-of-Former-Employees-Login-Credentials-Leads