Business Associate Pays Penalty of $2.3 Million for ePHI Exposure of 6M People and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights issued an announcement regarding its 10th HIPAA violation penalty in 2020. This is the seventh financial penalty to settle HIPAA violations that has been published in several days.

The most recent financial penalty is the biggest to be enforced in 2020. It costs $2.3 million and settles a case concerning 5 potential HIPAA Rules violations, which includes exposure of the electronic protected health information (ePHI) of 6,121,158 people.

CHSPSC LLC based in Tennessee is a management firm that offers services to numerous subsidiary hospital operator firms and other affiliates of Community Health Systems. Services provided include legal, accounting, compliance, operations, IT, health information, and human resources management services. Offering those services involves ePHI access, therefore CHSPSC is categorized as a business associate and needs to abide by the HIPAA Security Rule.

On April 10, 2014, CHSPSC experienced a cyberattack conducted by an advanced persistent threat group called APT18. The attackers employed compromised admin credentials and had remotely accessed CHSPSC’s data systems through its virtual private network (VPN) solution. CHSPSC did not identify the attack until the Federal Bureau of Investigation (FBI) sent notification on April 18, 2014 about the breach of its systems.

When the hackers had access to CHSPSC systems, the ePHI of 6,121,158 persons was downloaded. The records were given to CHSPSC by 237 HIPAA-covered entities that utilized CHSPSC’s services. The stolen data contained these data elements: name, birth date, gender, telephone number, email address, social security number, ethnicity, and emergency contact data.

OCR began investigating the breach and discovered systemic noncompliance with the HIPAA Security Guideline. Although it may not continually be feasible to avoid cyber attacks by advanced hackers, when an attack is noticed, action should be taken immediately to restrict the harm created. In spite of being alerted by the FBI in April 2014 concerning the compromise of its systems, the hackers stayed active in its information systems for 4 months, just being eliminated in August 2014. In that period, CHSPSC didn’t stop unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the attackers kept on stealing ePHI.

The inability to take action on an identified security occurrence from April 18, 2014 to June 18, 2014 and minimize the damaging impact of the data breach, record the breach and its effects, was in violation of 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators discovered that CHSPSC was unable to perform an appropriate and comprehensive security risk examination to determine the risks to the availability, integrity, and confidentiality of ePHI, which violates 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical guidelines and procedures enabling access to information databases that contains ePHI retained by CHSPSC just by certified persons and software programs were not put in place, which violates 45 C.F.R. § 164.312(a).

Procedures were not applied to make sure that data system activity documentation like logs and system security event monitoring reports were routinely assessed, which violates 45 C.F.R. § 164.308(a)(1)(ii)(D).

Threat actors and cyberthieves quite often target the health care sector. The inability to enforce the security requirements demanded by the HIPAA guidelines, particularly after being informed by the FBI of a probable breach, cannot be excused. A massive financial penalty was thus proper.

CHSPSC did not choose to argue the case and decided to pay the financial fine and resolved the HIPAA violation. The settlement additionally necessitates CHSPSC to undertake a solid and substantial corrective action plan to deal with all aspects of non-compliance, and CHSPSC is going to be closely supervised by OCR for two years.