Memorial Healthcare Systems fined for lack of audit controls

Memorial Healthcare Systems has paid the U.S Department of Health and Human Services $5.5 million as a result of violations of the Health Insurance Portability and Accountability act of 1996. Memorial Healthcare Systems manages six hospitals, an urgent care center and an elderly facility within South Florida.

Between April 2011 and April 2012 the login credentials of an old employee were used by staff members to access and distribute ePHI affecting over 80,000 individuals. The data that was distributed included names, dates of birth and social security numbers. MHS had loose policies in place for employee’s access to protected health information however they failed to implement structural safeguards and audit controls to monitor who can access protected health information. MHS failure to regularly monitor employee activity within their system ultimately led to their breach. If they had implemented proper audit controls MHS could have had prevented unauthorized access to its patient’s information. Audit controls maintain a system of record of all application processes and system activity by individual users. Having audit controls in place allows covered entities to review inappropriate access, detect potential breaches and malicious activity, and provide evidence during investigations.

Summary of HIPAA Fines

• Providing access of protected health information of over 80,000 individuals
• Failure to report breach of ePHI in a timely fashion.
• Failure to implement audit controls to monitor system activity
• Failure to implement the correct policies and procedures to prevent, detect and handle security breaches