On February 16, 2017, HHS OCR announced that Memorial Healthcare Systems (MHS) had paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of HIPAA’s Privacy and Security Rules and agreed to implement a “robust” three year corrective action plan and resolution agreement.  Why did MHS pay so much?  A long-term failure to close security holes that led to identity theft and fraudulent tax returns.

MHS is a non-profit corporation that operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary health care facilities in  South Florida.  MHS discovered this issue and reported to HHS OCR that the PHI of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth, and Social Security numbers. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals.

According to HHS OCR, MHS had “identified this risk on several risk analyses conducted … from 2007 to 2012.”  According to the MHS corrective action plan, “some of these instances led to federal charges relating to selling [PHI] and filing fraudulent tax returns.”  Indeed, MHS stated that “The security breach was discovered when [MHS] launched an internal investigation in 2012 after two hospital employees stole patients’ personal information to make money filing phony tax returns….  During its investigation, [MHS] discovered that individuals who worked in affiliated physicians’ offices had inappropriately accessed patient information using legitimate login credentials of employees in those offices….”