Another day, another HIPAA settlement.
The latest Health Insurance Portability and Accountability Act of 1996 settlement involves Metro Community Provider Network, a federally qualified health center based in Englewood, Colorado. Established in 1989, it provides a variety of services, including dental care, primary care, health education, behavioral health and outreach and enrollment services.
In order to settle potential noncompliance with HIPAA, MCPN will pay $400,000 and implement a corrective action plan.
The settlement comes after a 2011 phishing incident. A hacker allegedly accessed MCPN employees’ email accounts, thus acquiring 3,200 people’s electronic protected health information. MCPN filed a breach report with HHS’ Office for Civil Rights in January 2012.
Despite taking the proper corrective measures regarding the phishing incident, OCR claims MCPN did not conduct a risk analysis until February 2012.
In fact, before the phishing incident, MCPN had not conducted a risk analysis or implemented risk management plans. And when MCPN actually did conduct a risk analysis, OCR officials said it — and all subsequent analyses — didn’t meet the Security Rule requirements.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
In a statement sent to MedCity News, MCPN said,
In 2011, Metro Community Provider Network (MCPN) had a phishing incident which was reported to Health and Human Services and the Office of Civil Rights. Since that time, the organization has worked with these entities to assure HIPAA compliance, including reaching an agreed upon settlement of $400,000. MCPN is pleased with the work that has been done and continues to assure that patient privacy is protected.
This occurrence highlights how even lower-profile tactics like phishing can have rotten consequences.
MCPN isn’t the only organization to suffer from an email scam blunder. Last April, Metropolitan Jewish Health System in Brooklyn, New York, fell victim to a phishing attack. On January 18, 2016, an employee of MJHS responded to a phishing email. But the breach wasn’t discovered until four days later. The employee’s email account contained 2,483 patients’ PHI, which may have been compromised, according to HIPAA Journal.
And the threat of phishing is even something HHS has had to take note of. Last November, OCR notified HIPAA-covered entities and their business associates of a phishing email disguised as official OCR audit communication.
The alert reads,
The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services. In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights.
The email came from [email protected] and directed people to http://www.hhs-gov.us. This differs from the official governmental email address ([email protected]) and website (http://www.hhs.gov).
Photo: D3Damon, Getty Images
