While your business may indeed be a “victim” when
hit by a phishing attack, your enterprise can also be responsible
for violations of law associated with the incident. Earlier this
week, the HHS
Office for Civil Rights ("OCR") announced a $400,000 settlement with Metro Community
Provider Network ("MCPN") related to a 2012 HIPAA breach
caused by a phishing scam. The phishing scam, carried out by
accessing MCPN employees' email accounts, gave a hacker access
to the electronic protected health information ("ePHI")
of 3,200 individuals. In investigating the breach, OCR determined
that, prior to the breach, MCPN had not conducted a
security risk analysis (a requirement under HIPAA). Further, OCR
found that even after MCPN conducted a risk analysis, its analysis
was insufficient to meet the requirements of the HIPAA Security
In addition to the $400,000 fine, MCPN agreed to a corrective
action plan with OCR. That plan requires MCPN to conduct a
comprehensive risk analysis and to submit a written report on the
risk analysis to OCR. Additionally, MCPN will be required to
develop an organization-wide risk management plan, to review and
revise its Security Rule policies and procedures, to review and
revise its Security Rule training materials, and to report to OCR
any instance of a workforce member failing to comply with its
Security Rule policies and procedures.
The MCPH settlement underscores the importance of risk
analyses and workforce training to avoid phishing scams.
Additionally, it is crucial that entities regulated by HIPAA
conduct an enterprise-wide HIPAA risk analysis, update that
analysis to address new threats, and implement policies and
training based on identified risks. Failure to comply with these
essential HIPAA requirements can turn a relatively routine breach
investigation into a $400,000 settlement.
A copy of the MCPN resolution agreement and corrective action
plan is available here. OCR's press release on the settlement
is available here. General Security Rule guidance from OCR
is available here.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
At last week's Health Care Compliance Association's annual "Compliance Institute," Iliana Peters, HHS Office for Civil Rights' Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR's current and future endeavors.
The challenges that come along with securing sensitive information are unprecedented. It has become extremely difficult to protect data which is stored electronically, and breaches have unfortunately become a frequent occurrence.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).