Last week, the U.S. Health and Human Services (HHS) Office for Civil Rights (OCR) released its settlement with CHSPSC LLC, a management company that provides services to subsidiary hospitals and affiliates of Community Health Systems, Inc (CHS).
The OCR investigation found “longstanding, systemic noncompliance” with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule resulting in the exposure of protected health information (PHI).
Within the agreement, CHSPSC has arranged to pay OCR a hefty fee and adopt a corrective action plan.
Whom did the breach affect?
On April 10, 2014, a threat actor compromised CHSPSC administrative credentials and remotely accessed the information system through its virtual private network (VPN). The group then launched a malware payload.
On April 18, 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC about the breach and the advanced persistent threat (APT).
The threat group, APT18, also known as Dynamite Panda and TG-0146, has operated since at least 2009. Officials believe APT18 is sponsored by China.
According to OCR, “the hackers continued to access and exfiltrate the PHI of 6,121,158 individuals until August [18,] 2014.” That’s four months after the FBI notified the business associate of the threat.
In total, the breach affected 237 covered entities (CEs) serviced by CHSPSC.
Exposed PHI included name, sex, date of birth, phone number, social security number, email, ethnicity, and emergency contact information.
CHSPSC reported the breach to OCR on August 21, 2014.
What did OCR conclude?
The OCR audit found that CHSPSC violated several aspects of the HIPAA Security Rule.
The Security Rule sets necessary national standards to protect electronic PHI (ePHI) that is created, received, used, or maintained by healthcare organizations.
OCR found CHSPSC at fault for:
- Lacking access/review controls and adequate ePHI security
- Not responding to a known security incident and mitigating its harmful effects
- Failing to use security incident procedures
- Not conducting a risk analysis
As part of the resolution agreement, CHSPSC agreed to pay $2.3 million and put an agreed-upon corrective action plan into place within a given amount of time.
As stated in the corrective action plan, it is necessary for CHSPSC to:
- Conduct a current, complete risk assessment
- Create and implement an internal monitoring strategy
- Establish and apply risk analysis and risk management plans
- Update policies and procedures per the Security Rule
- Renew employee awareness training material and implement it immediately and continuously
This settlement demonstrates that HHS has no plans to stop holding CEs and BAs accountable for HIPAA noncompliance, even if this isn’t the largest OCR settlement to date.
Especially when CEs such as CHSPSC do not adequately safeguard ePHI before, during, and/or after a breach.
According to OCR Director Roger Severino, “The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable.”
Several key learnings here are obvious:
1) Perform due diligence to be HIPAA compliant.
2) Take the necessary steps to adopt strong policies and procedures.
3) Safeguard ePHI, and if a breach happens, cut access to the utilized threat vector immediately.
3) Perform risk assessments and develop an action plan to mitigate risks and vulnerabilities.
4) Utilize continuous and up-to-date employee awareness training.
5) If utilizing BAs, know who they are, and ensure their compliance.
Failure to follow and comply with HIPAA creates unnecessary threats to patients and healthcare organizations. Therefore, carefully review the HIPAA Security Rule to ensure that ePHI is always safe and secure.