St. Joseph Health in Irvine, Calif., will pay more than $2 million to settle allegations that its 14 hospitals and a host of other healthcare operations left personally identifiable records of 31,800 people exposed on a new computer server.
A file-sharing application on the server had a default setting that allowed Google, other search engines and “anyone with an internet connection" access to them, according to a statement from the Office for Civil Rights at HHS. The files included patients' personal information, diagnoses and health status, the agency said.
The latest HIPAA settlement is the Obama administration's 12th this year. That's a record number in any year since an HHS agency began in 2008 to report enforcement actions against violators of HIPAA.
The government alleges St. Joseph Health failed to evaluate the server's impact on the security of its IT systems. That left records exposed from Feb. 1, 2011 until Feb. 13, 2012.
The health system has hired a number of contractors to assess “the risks and vulnerabilities” of its protected health information, but their work “was conducted in a patchwork fashion,” the OCR said, adding that the efforts did not meet HIPAA requirements.
“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks," when making IT changes, said OCR Director Jocelyn Samuels.
Since 2008, there have been 41 HIPAA penalty cases in which the government has taken in a total of $55.6 million in penalties and settlements from various healthcare payers, providers and health information technology organizations. Nearly $22.9 million in settlements have come so far this year, also a record.
Frequently, the OCR brings a case to emphasize a specific area where compliance is weak. But that didn't seem to be at issue with St. Joseph Health, said Kirk Nahra, a healthcare privacy lawyer at Wiley Rein, Washington, D.C.
At least one other case involved a payer that was dinged for a similar breach, exposing patient records to the internet, Nahra recalls. Several others have been whacked for absent or inadequate security risk assessments.
“I tell my people, one of the things to do is look what other people are getting hit for,” Nahra said, and then add that to their security check list.