HHS settles with Denver provider for $400,000 for 2011 breach

Metro Community Provider Network failed to create a security management plan to protect patient data, an HHS investigation found.
By Jessica Davis
03:23 PM
Share
HIPAA Security Rule

Denver-based Metro Community Provider Network (MCPN) has agreed to pay $400,000 to the U.S. Department of Health and Human Services, in addition to implementing a corrective action plan, HHS announced Wednesday.

The settlement covers a HIPAA violation stemming from a Dec. 2011 breach. A hacker successfully leveraged a phishing attack to access employee email accounts and obtain the data of 3,200 patients. Officials said the settlement reflects MCPN’s lack of security management plan to protect ePHI.

MCPN filed a breach report with HHS on Jan. 27, 2012.

[Also: Ransomware rising, but where are all the breach reports?]

The OCR investigation revealed that although MCPN took necessary corrective action following the phishing incident, the organization failed to conduct a risk analysis until February 2012 - three months after the breach.

Prior to the breach, MCPM hadn’t assessed its security risks and vulnerabilities nor had it created risk assessment plans to address security weaknesses. To make matters worse, officials said all risk analyses were insufficient to meet HIPAA requirements - even after MCPN finally conducted a risk evaluation.

[Also: Health data breaches vs. security incidents: a primer]

“Patients seeking healthcare trust that their providers will safeguard and protect their health information,” OCR Director Roger Severino said in a statement. “Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

MCPN is a federally-qualified health center that provides primary medical and dental care, pharmacy services, social work and behavioral health services to the Denver area, serving about 43,000 patients each year.

Twitter: @JessiefDavis