Provider to pay $2.14 million after patient data made accessible through Google

The potential HIPAA violation put 31,800 patients' data at risk, HHS said
The potential HIPAA violation put 31,800 patients' data at risk, HHS said

A California-based healthcare provider has agreed to pay $2.14 million to settle allegations that it violated HIPAA when protected health information was made publicly accessible through online search engines, authorities announced Tuesday.

The potential violations occurred in 2011 and 2012, when St. Joseph Health purchased and implemented a new server to store electronic health data. Default settings on the server permitted anyone with an internet connection to search for and access the PDF files via search engines such as Google.

The error resulted in the potential disclosure of 31,800 patients' health data, including names, diagnoses and demographic information, the Department of Health and Human Services' Office of Civil Rights said.

St. Joseph, which operates skilled nursing and hospice facilities, home health agencies and acute care hospitals in California, Texas and New Mexico, hired contractors to assess any vulnerabilities in its protected health information. Despite the use of contractors, the risk analysis was “conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule,” HHS said.

“St. Joseph Health is pleased that we could come to a settlement on this issue and we deeply regret any undue concern to our patients. The facts to remember about this case are that data did not include Social Security (numbers), addresses or financial data,” the provider said in a statement. “Additionally, there is no indication that the information was used by unauthorized persons. Since the situation was discovered, we have invested in a number of initiatives to ensure the continued security of patient data, including $17 million in enhanced data security infrastructure.”

In addition to the settlement, St. Joseph agreed to a corrective action plan that requires it to conduct a organization-wide risk analysis, create a risk management plan, revise its safety policies and retain its staff on the updated policies.