Provider pays $5.5 million in HIPAA settlement

More than 115,000 patients' information was accessed using a former employees' login information.
More than 115,000 patients' information was accessed using a former employees' login information.

A Florida healthcare provider has paid the government $5.5 million to settle potential Health Insurance Portability and Accountability Act violations after information on more than 115,000 patients was “impermissibly accessed” several years earlier, officials announced Thursday.

Memorial Healthcare Systems, which operates a nursing home, six hospitals and other healthcare facilities in South Florida, reported to the Department of Health and Human Services that patients' protected information, including names, dates of birth and social security numbers, had been accessed by employees and “impermissibly disclosed to affiliated physician office staff.”

The patients' information was accessed using the login credentials of a former employee; the breach went undetected for a year, HHS said.

“Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users' right of access, as required by the HIPAA Rules,” the agency said in its release.

MHS also reportedly failed to review records of information system activity for the applications it used to maintain patients' information, despite the risk showing up on several risk analysis conducted by the provider between 2007 and 2012.

“As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen,” said Robinsue Frohboese, acting director of the HHS Office of Civil Rights.

In a statement to Healthcare Dive, MHS noted that the potential violations happened six years ago, and that the company “reported the actions of the two employees and the findings of its internal investigation regarding the affiliated physicians' staff to the Department of Health and Human Services' Office of Civil Rights (OCR).”

MHS added that it “strongly disagrees” with many of the agency's claims and admits no liability, but “nevertheless agrees with the importance OCR places on maintaining the security of patient information.”