Florida Healthcare Provider Fined $1.19M for HIPAA Violation Following Data Breach
A Florida-based healthcare provider that helps people with pain management got into some hot water with the folks from the U.S. Department of Health and Human Services Office for Civil Rights. They had to cough up a hefty fine of $1.19 million due to mishandling of some private health information. As it happens, they hired a contractor in May 2018 to assist them with their business, and even after their employment terminated in August 2018, the contractor retained their digital keys i.e. electronic medical records (EMR) system.
The contractor submitted about 6,500 false Medicare claims from September 2018 through February 2019 after it accessed the ePHI of 34,310 individuals without authorization. The breach, which occurred on February 20, 2019, compromised sensitive patient information, which included names, addresses, Social Security numbers, and insurance, in addition to medical information. The provider canceled access to the contractor's system on February 21, 2019, and informed OCR about the breach in April 2019.
Multiple compliance failures were issued from the OCR investigations under the Security Rule of HIPAA. Some components of these represent, among other things, the lack of comprehensive risk analysis in the provider's practice, insufficient monitoring of system activities, failure to implement strong termination access procedures, and limited workstation access policies.
OCR Director Melanie Fontes Rainer talks about the measures to protect patients' information against all risks stating, "Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents."
The penalty was reduced under the HITECH Act’s Recognized Security Practices provision, which considers evidence of continuous compliance efforts over the preceding 12 months. This case underscores the need for healthcare entities to align their security measures with HIPAA requirements to prevent costly penalties and protect patient trust.
