Unsecure files lead to HIPAA fine for St. Joseph Health
St. Joseph Health, a 14-hospital delivery system serving parts of California, Texas and New Mexico, is the latest organization to agree to implement a corrective action plan with the HHS Office for Civil Rights following a breach of protected health information.
Along with the corrective actions, St. Joseph Health will pay a settlement fine of $2,140,500. The organization reported a breach February 2012 after files created for its electronic health record meaningful use program were accessible on the Internet for about half of that month.
“The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an Internet connection to access them,” according to an OCR statement. “Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the electronic protected health information of 31,800 individuals, including patient names, health statuses, diagnoses and demographic information.”
St. Joseph Health did hire contractors to assess risks and vulnerabilities of the ePHI, but this did not result in an enterprise risk analysis, according to OCR.
“Entities must not only conduct a comprehensive risk analysis, but also must evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” OCR Director Jocelyn Samuels said in a statement.
The organization acknowledged the settlement and issued the following statement:
“St. Joseph Health is pleased that we could come to a settlement on this issue and we deeply regret any undue concern to our patients. The facts to remember about this case are that data did not include Social Security (numbers), addresses or financial data. Additionally, there is no indication that the information was used by unauthorized persons. Since the situation was discovered , we have invested in a number of initiatives to ensure the continued security of patient data, including $17 million in enhanced data security infrastructure. These measures and more are intended to provide for the safety and security of our patients’ information.”
The resolution agreement and corrective action plan are available here.