Want to Know Why Memorial Healthcare Systems Is Paying HHS OCR $5.5 Million?

Foley Hoag LLP - Security, Privacy and the Law
Contact

On February 16, 2017, HHS OCR announced that Memorial Healthcare Systems (MHS) had paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of HIPAA’s Privacy and Security Rules and agreed to implement a “robust” three year corrective action plan and resolution agreement.  Why did MHS pay so much?  A long-term failure to close security holes that led to identity theft and fraudulent tax returns.

MHS is a non-profit corporation that operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary health care facilities in  South Florida.  MHS discovered this issue and reported to HHS OCR that the PHI of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth, and Social Security numbers. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals.

According to HHS OCR, MHS had “identified this risk on several risk analyses conducted … from 2007 to 2012.”  According to the MHS corrective action plan, “some of these instances led to federal charges relating to selling [PHI] and filing fraudulent tax returns.”  Indeed, MHS stated that “The security breach was discovered when [MHS] launched an internal investigation in 2012 after two hospital employees stole patients’ personal information to make money filing phony tax returns….  During its investigation, [MHS] discovered that individuals who worked in affiliated physicians’ offices had inappropriately accessed patient information using legitimate login credentials of employees in those offices….”

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Security, Privacy and the Law | Attorney Advertising

Written by:

Foley Hoag LLP - Security, Privacy and the Law
Contact
more
less

Foley Hoag LLP - Security, Privacy and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.