Top

Failure to Protect ePHI Costs Millions of Dollars

Protecting ePHI or electronic Protected Health Information should be a top priority for your organization or you'll soon face huge fines from government entities. Recently, 21st Century Oncology, Inc. (21CO) agreed to pay $2.3 million to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) and adopt a comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. 

21st Century Oncology, Inc. is a provider of cancer care services and radiation oncology located in Fort Myers, Florida. They manage 179 centers located throughout eight countries, the majority, however, are located in the United States. So what exactly happened?

THE HACKER

In 2015, the Federal Bureau of Investigation (FBI) 21CO that patient information was illegally obtained by an unauthorized third party on two separate occasions. The FBI informant was able to have this third party produce 21CO patient files, which he then purchased as proof. 

The attacker was able to access 21CO's network SQL database through a remote desktop protocol from an exchange server within 21CO's network. This attack gave access to the names, social security numbers, physicians' names, diagnoses, treatment, and insurance information to 2,213,597 individuals. 

WHAT WENT WRONG?

ASSESSMENT

21 CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information.

SECURITY PROCEDURE

21 CO failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

RECORD REVIEW

21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

POOR PHI PRACTICES

Disclosed protected health information (PHI) to third party vendors without a written business associate agreement.

CONCLUSION

In addition to the $2.3 million fine from the OCR, 21CO is required to complete a risk analysis and risk management plan which requires revision of their policies and procedures, educating its workforce on those policies and procedures, providing all maintained business associate agreements to OCR, and submitting an internal monitoring plan.  On May 25th, 2017 21CO filed for Chapter 11 bankruptcy protection.

Ensuring that your ePHI is protected is a daunting task, let alone conducting a security risk assessment on an annual basis. If your organization lacks the resources to adequately conduct an annual security risk analysis you may be forced to outsource this task, costing thousands of dollars.

Etactics and InfoGPS Networks have teamed up to combine an all-in-one GRC tool with professional consulting to make the security risk analysis less daunting and more achievable, regardless of the size of your organization.