OCR hits Memorial Healthcare System with $5.5M fine

Memorial Healthcare Systems in South Florida is being hit with a massive fine as part of a resolution agreement from the Office for Civil Rights of the Department of Health and Human Services.

The healthcare organization was cited for lapses in auditing employee access to protected health information, resulting in data breaches affecting 115,143 individuals. Now, the six-hospital delivery system has paid a $5.5 million fine to OCR as part of the resolution agreement to settle violations of the HIPAA privacy and security rules. The organization also has agreed to follow a corrective action plan to prevent similar data breaches in the future.

The monetary fine is the second largest ever levied by the agency, second only to the $5.55 million penalty OCR levied last August against Advocate Health Care for breach incidents.

Some of the breached information was used to file fraudulent tax returns, OCR reported.

Enhanced OCR enforcement of HIPAA rules continues, and the size of fines for violations is growing as well. Before 2016, the previous record for total fines that OCR levied in any year was $7.9 million; last year, settlement payments hit $25.6 million.

Also See: Why OCR is aggressively enforcing HIPAA compliance

In the agreement that Memorial Healthcare signed, OCR contends employees at Memorial and an affiliated physician practice impermissibly accessed PHI. A former employee at the practice, for instance, was provided access to PHI for more than a year.

“On April 12, 2012, MHS submitted a breach report to HHS indicating that two MHS employees inappropriately accessed patient information, including names, dates of birth and Social Security numbers,” according to OCR. “On July 22, 2012, MHS submitted an additional addendum breach report to notify HHS that during its internal investigation, it discovered additional impermissible access by 12 users at affiliated physician offices. Some of these incidents led to federal charges related to selling protected health information and filing fraudulent tax returns.”

Also See: 6 top IT security trends for 2017

From January 2011 to June 2012, MHS failed to implement procedures to regularly review audit logs, access reports and security incident tracking reports, and the system further failed to oversee access authorization policies that establish, document, review and modify user rights of access, OCR charged.

Electronic protected health information must be provided only to authorized users, and “Organizations must implement audit controls and review audit logs regularly,” said Robinsue Frohboese, acting director for OCR, in a statement announcing the sanctions.

In response to the OCR charges and settlement, Memorial Healthcare System issued the following statement:

“Safeguarding patients’ health information has always been a top priority at Memorial Healthcare System. More than five years ago, Memorial was notified that two employees were engaging in criminal conduct involving theft of patient confidential information in 2011. Memorial immediately terminated those individuals and launched an in-depth internal investigation. During its investigation, Memorial discovered that individuals who worked in affiliated physicians’ offices had inappropriately accessed patient information by using legitimate log-in credentials of employees in those physicians’ offices.

“True to its culture of compliance and transparency, Memorial proactively reported the actions of the two employees and the findings of its internal investigation regarding the affiliated physicians’ staff to the Department of Health and Human Services’ Office of Civil Rights (OCR). It also simultaneously notified all patients who may have been affected and provided them with free credit monitoring. Memorial worked closely with law enforcement to assist in their investigations, which ultimately led to federal prosecution and conviction of the criminals.

“Upon learning of the breaches, Memorial quickly acted to implement new, sophisticated technologies designed to monitor use and access of patient data, further restricted access to protect patient information, and enacted new policies and procedures to enhance password security. Memorial hired IBM, a global leader in cybersecurity, to provide assessment, response, and monitoring services. IBM continues to provide cybersecurity services to Memorial today. Memorial also hired an independent technology firm to conduct network audits and scans.

“Memorial’s February 2017 settlement with the OCR resolves all allegations surrounding these breaches. While Memorial strongly disagrees with many of OCR’s allegations, has admitted no liability and has chosen to settle this case, it nevertheless agrees with the importance OCR places on maintaining the security of patient information.

“Memorial…will continue to vigorously monitor access and use of patient information and maintain rigorous cybersecurity and internal safeguards.”

For reprint and licensing requests for this article, click here.