Metro Community Provider Network (MCPN), a Federally Qualified Health Center (FQHC), has incurred a data breach due to an insufficient risk analysis and poor preventative actions. As a result, MCPN has agreed to pay $400,000 to the Office for Civil Rights (OCR). Along with the fee, the health center will implement a corrective action plan as well.
2012 Metro Community Provider Network Data Breach
Dating back to January 27, 2012, the Metro Community Provider Network (MCPN) filed a breach report with the OCR. The report indicated that a hacker accessed an employee's email account through a phishing incident. With the access, the hacker was able to obtain the ePHI of 3,200 individuals.
The OCR investigates the breachThe OCR conducted an investigation and discovered troubling finds:
- MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012.
- Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.
- When MCPN finally conducted a risk analysis, that risk analysis (as well as all subsequent risk analyses) were insufficient to meet the requirements of the Security Rule.
Sufficient risk analyses are imperativeThe MCPN conducted their annual risk analysis too late, and they did not implement any corrective actions following the risk analysis. Moreover, the risk analysis that was done was insufficient.
Following the investigation and settlement, OCR Director Roger Severino said the following: “Patients seeking health care trust that their providers will safeguard and protect their health information. Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”
At Paubox, we have written numerous times about the importance of HIPAA and how to avoid violations. Our articles echo Mr. Severino statements about how important meeting HIPAA compliance is for covered entities and business associates. As a Federally Qualified Health Center (FQHC), Metro Community Provider Network (MCPN) provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area. They service approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level. In return for these services, MCPN gets funding and other financial benefits from the government. However, their status as a FQHC is now in question by the OCR following this incident.