Phishing Breach Results in $750,000 HIPAA PenaltyOCR's Sixth Post-Breach Resolution Agreement This Year
Federal regulators have hit the University of Washington Medicine with a $750,000 penalty and a corrective action plan as part of a HIPAA settlement after a 2013 malware-related breach affecting 90,000 individuals. It's the first such resolution agreement stemming from the investigation of a phishing incident.
The settlement with UWM is the sixth HIPAA resolution agreement that the Department of Health and Human Services' Office for Civil Rights has announced so far in 2015 and the third in recent weeks. Penalties levied by OCR in the six resolution agreements in 2015 total about $6 million. Since 2008, OCR has announced 28 resolution agreements and one case involving a civil monetary penalty.
The agreement with University of Washington Medicine, stemming from a phishing incident, is significant because "it serves as notice of the role that social engineering [awareness] exercises and training workforce members on the threats posed by malware hidden in emails can play in preventing catastrophic infiltration of an enterprise information system," says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.
Although OCR's resolution agreement with UWM, announced on Dec. 14, does not specifically mention phishing, an OCR spokeswoman acknowledges that "the incident [at UWM] involved a forged email containing malware in an attachment."
Impact of Malware
In a statement, UWM says the email incident was limited to the information on a single employee's computer. "The malware attack occurred in October 2013 when an employee opened an email link to review a document. The malware provided potential access to contact and other information needed for billing patients that was stored in files on the employee's desktop computer," UWM says. "When the potential breach was discovered, UWM notified the FBI and the OCR."
In the statement, James Fine, M.D., UWM chief information officer, says, "We voluntarily agreed with OCR to continue making our information security program even more robust than the one we have today. We are relieved that there have been no reports of any use or compromise of patient information from this event."
UWM includes several healthcare related entities under the umbrella of the University of Washington, including University of Washington Medical Center, the primary teaching hospital of the University of Washington School of Medicine.
The OCR resolution agreement with UWM focuses on a common denominator found in most other previous OCR settlements stemming from breach investigations: The importance of conducting a comprehensive, timely and enterprisewide risk analysis.
"All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical records or that fails to provide appropriate oversight and accountability for all parts of the enterprise," OCR Director Jocelyn Samuels says in a satement about the UWM settlement. "An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data."
OCR says it initiated its investigation of the UWM following receipt of a breach report on Nov. 27, 2013, which indicated that the electronic protected health information of approximately 90,000 individuals was inappropriately accessed after an employee downloaded an email attachment that contained malware.
The malware compromised the organization's IT system, affecting the data of two groups of patients, OCR notes. For 76,000 patients, names, medical record numbers, dates of service, and/or charges or bill balances were exposed. For another 15,000 patients, information compromised included names, medical record numbers, contact information, dates of birth, charges or bill balances, Social Security numbers, insurance identification or Medicare numbers.
In its statement, OCR says its investigation indicated UWM's security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the HIPAA security rule. "However, UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments," OCR says.
The resolution agreement calls for UWM to "develop a current, comprehensive and thorough risk analysis of security risks and vulnerabilities to include the ePHI created, received, maintained or transmitted by UWM facilities and applications, which had been excluded from its August 2014 'HIPAA meaningful use risk assessment.'"
Thus, the UWM corrective action plan spotlights that under HIPAA, covered entities must assess all ePHI for security risks, not just the EHR-related ePHI assessed to fulfill HITECH Act meaningful use program requirements.
Holtzman of CynergisTek also notes that the OCR settlement with UWM underscores the importance of making sure that any HIPAA compliance program is "more than just the words in your mission statement." Healthcare organizations are expected to hold their subsidiaries and affiliates accountable for implementing and exercising privacy and information security safeguards to ensure the confidentiality of protected health information, he says.
"The settlement with UWM includes provisions under the corrective action program which call for structural reorganization of its compliance program," Holtzman says. "The implication is that the weaknesses and deficiencies in the organization's culture of compliance and accountability extended to the highest levels of executive management."
While the OCR resolution agreement focuses mostly on UWM's lack of enterprisewide risk analysis, Rebecca Herold, CEO, of consulting firm The Privacy Professor and co-founder of SIMBUS360, a new security and privacy cloud service business, says the incident involving the malware-infected email may have been avoided with better workforce training.
"It really seems to be a case of not thinking before acting, which could have been prevented with training, and with regular security reminders, which far too few covered entities and business associates provide," she says. "Workers must be reminded about security on an ongoing basis, or they will succumb to tricky phishing messages, and then boom, a breach occurs. This also points to possibly needing better anti-malware tools and a need to review the firewall to see if updates are needed."
Other OCR Settlements
The resolution agreement with University of Washington Medicine was the third that OCR has issued in recent weeks.
On Dec. 1, OCR announced an agreement with Triple-S Management, a health insurer in Puerto Rico. That settlement included a $3.5 million penalty as well as a corrective action plan that also focused on among other things, conducting a risk analysis.
In November, OCR announced a resolution agreement with Lahey Hospital and Medical Center in Burlington, Mass., stemming from an investigation into the theft of a laptop that was used to operate a medical device. That agreement includes an $850,000 fine and a corrective action plan, which also cited Lahey's failure to conduct a thorough risk analysis of all of its electronic protected health information.