Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a civil monetary penalty of $548,265 against Children’s Hospital Colorado for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. These violations were reported in breach reports received in 2017 and 2020, relating to email phishing and cyberattacks. OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules, which outline the requirements that covered entities (such as health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule sets national standards to safeguard our healthcare system by requiring administrative, physical, and technical measures to ensure the confidentiality, integrity, and security of electronic PHI (ePHI).
“Email remains a very common way for cyber attackers to infiltrate health information systems and compromise privacy and security,” said OCR Director Melanie Fontes Rainer. “Health care entities should identify potential risks and vulnerabilities in email accounts and train their workforce to protect health information in those accounts.”
OCR’s investigation into Children’s Hospital Colorado followed breaches that revealed a phishing attack compromising an email account with 3,370 individuals’ PHI, and a subsequent breach where three email accounts containing 10,840 individuals’ PHI were accessed. The investigation found that the first breach occurred because multi-factor authentication was disabled on an email account. The subsequent breaches occurred partly because workforce members allowed unknown third parties access to their email accounts. Additionally, OCR identified violations of the HIPAA Privacy Rule for failing to train workforce members on the HIPAA Privacy Rule and the HIPAA Security Rule for not conducting a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems.
In June 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Children’s Hospital Colorado waived its right to a hearing and did not contest OCR’s findings, resulting in a civil money penalty of $548,265.
The Notice of Proposed Determination is available at: HHS – Notice of Proposed Determination
The Notice of Final Determination is available at: HHS – Notice of Final Determination
OCR recommends that health care providers, health plans, health care clearinghouses, and business associates covered by HIPAA take the following steps to mitigate or prevent cyber threats:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes, conducted regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular reviews of information system activity.
- Utilize multi-factor authentication to ensure only authorized users access ePHI.
- Encrypt ePHI to guard against unauthorized access.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide regular training specific to organizational and job responsibilities, reinforcing workforce members’ critical role in protecting privacy and security.