The HHS’ Office for Civil Rights (OCR) has reported its 7th civil monetary penalty for HIPAA violation by a covered entity this 2024. This case is also the 15th enforcement action issued by OCR this year to end in a financial penalty.
On July 11, 2017, an unauthorized person was able to access a doctor’s email account after getting a click from a phishing email. The email account included 3,370 patients’ electronic protected health information (ePHI). The email account had 2-factor authentication set up before it was disabled by IT support and wasn’t enabled again. The breach report submitted to OCR prompted an investigation to evaluate compliance with the HIPAA Rules. At that time, OCR did not take any action against Children’s Hospital Colorado.
After three years, from April 6, 2020 to April 13, 2020, an unauthorized third party accessed the email accounts of three hospital workers. Based on the breach notice sent to OCR on July 27, 2020, the breached accounts included the ePHI of 2,553 people. The OCR breach portal indicates that the breach affected 2,553 individuals.
According to the result of OCR’s investigation, the second breach resulted in the compromise of 10,840 individuals’ ePHI, including names, medical record numbers, medical diagnoses, dates of services, zip codes, driver’s license numbers, and social security numbers. The second attack allowed an unauthorized individual with a German IP address to access a worker’s email account on three occasions. The same attack allowed an unauthorized individual with a U.S. IP address to access two other accounts on several occasions over the same period. The accounts had been set up with multi-factor authentication (MFA). However, the workers accepted MFA requests that they did not initiate, which allowed the threat actor to bypass MFA and access the accounts.
During the investigation, OCR discovered that from March 1, 2018 to November 30, 2018, Children’s Hospital Colorado made an “Agreement for Student Education.” There were nursing students from 26 universities and colleges assigned to its facilities for clinical rotation. The nursing students were given PHI access while on clinical rotation. The agreements for student education mentioned that nursing student orientation will include learning about administrative policies and standards associated with confidentiality laws, and guidelines and procedures for handling patient records. It was particularly stated in the agreement that under the HIPAA Privacy Regulations, a nursing student is considered part of its workforce. However, though being given PHI access, the nursing students did not undergo HIPAA Privacy Rule training.
Children’s Hospital Colorado advised OCR that from January 1, 2013 to December 31, 2018, the 6,666 members of the workforce have not received HIPAA Privacy Rule training, which included the 3,495 nursing students. Its HIPAA Privacy Rule training guidelines and procedures were only completed on September 30, 2018, and HIPAA Privacy Rule training for nursing students was implemented starting November 30, 2018.
OCR confirmed the impermissible disclosure of 10,840 individuals’ ePHI. During the investigation, OCR discovered that until February 5, 2021, Children’s Hospital Colorado did not perform a HIPAA-compliant risk analysis. The risk analyses done before that date were not correct and complete, since they didn’t include all areas and systems that created, obtained, managed, and/or sent ePHI.
Children’s Hospital Colorado was given the chance to negotiate the alleged violations in private; nonetheless, an informal resolution was not discussed and OCR enforced a $548,265 civil monetary penalty to settle the alleged violations of the HIPAA Privacy and Security Rule.
Image credits: ArtsybitDesign, AdobeStock; logo©Children’s Hospital Colorado
