HIPAA Data BreachesInformation Assurance, Governance, Risk and Compliance

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

This topic contains 4 replies, has 1 voice, and was last updated by  FisherCMH 3 years, 3 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
  • #94184


    I was looking through the HIPAA Data Breaches published by Health & Human Services (HHS), https://www.hhs.gov/about/news/2017-news-releases

    This one caught my eye…

    Metro Community Provider Network
    Overlooking risks leads to breach, $400,000 settlement

    “[HIPAA] settlement based on the lack of a security management process to safeguard electronic protected health information (ePHI).”

    “…a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until [2-3 weeks later].”

    “When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.”

    A data breach is a Privacy event, of course, but it seems a data breach invites an investigation that could reveal Compliance issues.

    It seems to me HIPAA is not strongly policed. Instead it relies on strong penalties to encourage compliance.



    Phishing. Social engineering. I believe it’s our biggest vulnerability today. Do you agree?



    Here’s another example from Health & Human Services (HHS):

    $2.5 million settlement shows that not understanding HIPAA requirements creates risk

    “[HIPAA] settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).”

    “…a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.”



    Where to begin with the CardioNet breach? It seems prudent to assume end user devices will be compromised. Physical, Administrative, and Technical controls could have spared CardioNet the large fines.



    Here’s another example from Heath & Human Services (HSS):

    Memorial Healthcare System
    $5.5 million HIPAA settlement shines light on the importance of audit controls

    “MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth, and social security numbers. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules. Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.”

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?