Compromised Administrative Credentials Lead to $2.3 Million Settlement With HIPAA Business Associate

HHS’s Office for Civil Rights (OCR) has announced a $2.3 million settlement to resolve potential violations of HIPAA’s privacy and security rules related to a breach of protected health information (PHI) affecting more than six million individuals. The breach occurred when a cyberhacking group used compromised administrative credentials to remotely access, through a virtual private network, the information system maintained by a HIPAA business associate. (The business associate provided IT and health information management services to hospitals and physician clinics.) According to OCR, the business associate was unaware of the intrusion until notified by the FBI that an advanced persistent threat had been traced to the business associate’s information system. Despite the FBI’s notice, the hackers were able to exfiltrate PHI—including names, birthdates, contact information, and Social Security numbers—from the information system for several more months. OCR’s investigation uncovered “longstanding, systemic noncompliance” with the HIPAA security rule, including failures to conduct a risk analysis and to implement procedures for information system activity review, security incident response and mitigation, and access controls.

In addition to the settlement payment, the business associate agreed to an extensive corrective action plan (CAP). The CAP requires the business associate to conduct an enterprise-wide risk analysis and adopt a corresponding risk management plan, each subject to OCR review and approval. The business associate must also revise—subject to OCR approval—numerous security policies and procedures, including those addressing technical access controls for software applications and network or server equipment; activity logs; security incident response, reporting, and mitigation; and password management, strength, and safeguarding. The approved policies and procedures must be incorporated into training materials that must be included in training sessions for all workforce members to be held within 30 days of OCR’s approval of the materials. New workforce members must be trained within 14 days after they start work. The business associate also must develop—subject to OCR approval—a plan to internally monitor compliance with the CAP and implement the plan for a specified period, during which periodic compliance reports must be submitted to OCR.

EBIA Comment: As we have noted previously (see our Checkpoint article), security alerts from law enforcement agencies should trigger immediate action—but immediate action is feasible only if covered entities and business associates plan ahead. Robust procedures for tracking information system activity and responding to security incidents are required under the HIPAA security rule and can help contain breaches and mitigate damages. It’s always better to identify and respond to security incidents before the G-men come knocking. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXV.H (“Guide to Planning for Breach Notification”), XXX.B.1.d (“Information System Activity Review (Required Implementation Specification)”), and XXX.B.6 (“Standard: Security Incident Procedures”). You may also be interested in our webinar “HIPAA Breaches: Preparation and Response” (recorded on 9/10/20).

Contributing Editors: EBIA Staff.