St. Joseph Health to pay $2 million for HIPAA violations

After an incident exposed the protected health information of 31,800 people, the organization failed to conduct a proper risk analysis, according to federal officials.
By Bernie Monegain
12:36 PM

St. Joseph Health will pay $2,140,500 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules.

At issue, according to the Office for Civil Rights, which oversees HIPAA rules, were files containing electronic protected health information that were publicly accessible through internet search engines from 2011 until 2012.

SJH, a nonprofit integrated Catholic healthcare delivery system sponsored by the St. Joseph Health Ministry, will also adopt a comprehensive corrective action plan as part of the settlement.

[Also: Hack-proofing ID and access management]

The health system operates 14 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations throughout California and in parts of Texas and New Mexico.

On Feb. 14, 2012, SJH reported to OCR that certain files it created for its participation in the meaningful use program, which contained electronic PHI, were publicly accessible on the Internet from Feb. 1, 2011, until Feb. 13, 2012, via Google and also perhaps through other search engines.

The server SJH purchased to store the files included a file-sharing application whose default settings allowed anyone with an Internet connection to access them. The problem occurred after SJH rolled out the server and the file-sharing application, but failed to examine and evaluate how they were working.

The public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.

Moreover, OCR concluded that although SJH hired contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI, the work was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.

“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” OCR Director Jocelyn Samuels said in a statement.

In addition to the monetary settlement, SJH has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies.

 Data breaches and HIPAA violations will be among the topics experts discuss at the HIMSS and Healthcare IT News Privacy & Security Forum in Boston takes place Dec. 5-7, 2016. What to expect: 
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks

⇒ Security budgets grow but breaches continue unless hospitals adopt best practices
⇒ Think offshoring PHI is safe? You may not be covered if a business associate breaches data

Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.