Top 5 Cybersecurity Lessons from Largest HIPAA Settlements Ever
The significance of healthcare cybersecurity is impossible to overestimate in compliance terms. At the core of HIPAA rules, reasonable security safeguards requires every employee to comply within an healthcare organization. The goal is presenting a united front against malicious activities or accidental breaches, and collaborating together to prevent unauthorized access of patients' health data.
The challenge of privacy and security is huge and industry-wide. How can we better protect against unauthorized access of protected health information (PHI)?
- Big fish or small fish organization? The size of an organization doesn't seem to affect how well it can protect and secure sensitive patient data (as confirmed by the top five examples you'll see below).
- Big pond or small pond? Whether serving urban or rural areas, the entity's location does not necessarily provide better insulation or indicate potential safeguard improvements.
- "When" not "if," since the risk is never zero. Suffice to say, if there's a physical door to sensitive file storage or connected devices anywhere accessing electronic protected health information (ePHI), then any organization is at risk of a breach incidence.
With the rise of cyber dangers from both unintentional and malicious sources, it is crucial for covered entities and business associates to perform risk management programs on a regular basis and maintain HIPAA safeguards in the fast changing digital ecosystem.
Let's explore the top 5 lessons based on the the five largest known HIPAA fines and settlements to date. Furthermore, learn how you can start your own cybersecurity test by simulating a fraudulent phishing email along with other compliance resources to protect your organization.
Know the Causes
What 5 things you must know to avoid the most expensive HIPAA violations?
The key presumption is sharing any patient's medical information is unacceptable. As a matter of fact, a special acknowledgment from the patient would be required to share protected health information (PHI) outside of their treatment, payment, or other operations.
HIPAA regulations aim for health providers, insurance companies, and other practices to maintain secure access to sensitive medical information and patient data. The Health Insurance Portability and Accountability Act (HIPAA) is a series of interconnecting laws which set a national standard for healthcare privacy and security of protected health information (PHI).
As the health sector's HIPAA enforcement agency, any neglect discovered by the HHS Office for Civil Rights (OCR) will result in legal investigations and financial penalties. The legal definition of "willful neglect" is crucial to understanding the gravity of a HIPAA violation (as you can preview in the situations below).
The bulk of the firms cited expose common-yet-avoidable security flaws. Any one of these HIPAA violations can lead to massive fines:
- Failure to conduct an enterprise-wide security
risk analysis (SRA).
- Failure to implement adequate risk management programs.
- Failure to conduct regular reviews of
information system activity.
- Failure to properly manage secure access to
electronic protected health information (ePHI).
- Failure to adequately secure and encrypt devices,
From the CEO to the front desk reception, the goal is to empower each team member to be vigilant against unauthorized access to healthcare IT systems. After a breach incident is discovered, can your organization take the appropriate steps to mitigate the risks? That's partly why regularly conducting an SRA is a HIPAA requirement for covered entities, business associates, and their subcontractors. In addition, our dedicated compliance advisors recommend to clients other preventative measures, such as implementing a Bring Your Own Device (BYOD) policy and including workforce training for cybersecurity awareness.
Top 5 Most Expensive HIPAA Violations to Date
Time does not heal all cybersecurity wounds.
Check out the 5 highest known HIPAA settlements brought by the HHS Office for Civil Rights (OCR). These enforcement stories offer insights for anyone that regularly deals with the healthcare industry.
$5.1 Million Fine on Lifetime Healthcare Companies (2021) - RANK #5
More than 9.3 million individuals' personal information was exposed for more than a year because of cyber-attackers breaching the organization's IT systems, installing malware, and collecting protected health information.
The Lifetime Healthcare Companies subsidiary health insurance carrier known as Excellus Health Plan was ordered to pay $5.1 million fine, required implement corrective measures, and then undergo two years of monitoring in 2021.
One of the problems cited was the failure to conduct organization-wide security risk assessment (SRA) and to apply risk management procedures, such as IT system activity assessment.
$5.5 million fine on Memorial Healthcare Systems (2017) - RANK #4
A nonprofit organization called Memorial Healthcare Systems runs six hospitals, an urgent care facility, a nursing home, and several ancillary medical facilities all over the South Florida region.
Between 2011 and 2012, unauthorized access to sensitive information was made using a former employee's login credentials for over a year, so they received a $5.5 million penalty in 2017. MHS did not adhere to its own regulations and procedures, which is a serious HIPAA violation, in regards for the modification and termination of user access.
Additionally, concerns about a lack of access restrictions and a lack of routine audit log reviews were found during risk evaluations conducted over a number of years, making the breach very avoidable.
$5.5 million fine on Advocate Health Care (2016) - RANK #3
One of the largest private hospital networks in the country is known as Advocate Health Care in Illinois. HHS OCR imposed the $5.5 million fine on Advocate in 2016, which was the highest HIPAA fine up to that date.
HHS ordered the financial penalty since the organization acknowledged that four unencrypted laptops were stolen and then later experienced two additional breach incidents.
The results of the investigation revealed infractions tracing back to the beginning of the HIPAA rule enforcement. That's why the company accepted the corrective action plan and paid the biggest fine ever levied against a single entity at that time.
$6.85 million fine on Premera Blue Cross (2020) - RANK #2
An investigation revealed more than 10.4 million became impacted by Premera Blue Cross, the largest health plan in the Pacific Northwest.
To resolve the HIPAA violations, the organization agreed to pay more than $6.85 million in fines (the second-largest settlement in the history of HIPAA investigations). In addition to implement a corrective action plan, the organization was required to undergo two years of monitoring to ensure compliance.
Hackers gained access to Premera's IT system in May 2014 thanks to a successful phishing email. The malware remained undiscovered for nearly nine months, until January 2015. The investigation discovered widespread noncompliance with HIPAA regulations, including a failure to adopt security risk analysis, risk management, and audit procedures.
$16 million fine on Anthem (2018) - RANK #1
This story is number one due to its record-breaking status as the largest HIPAA settlement ever. (Yikes!) As a major health benefits providers, Anthem experienced the largest health data breach in 2018. As a result, HHS issued a $16 million punishment and Anthem agreed to implement a corrective action plan to bring them into HIPAA compliance.
At least one Anthem subsidiary employee opened a fraudulent phishing email, which allowed cybercriminals access. Between December 2, 2014, and the end of January 2015, this situation then evolved into many vulnerabilities for further assaults.
In addition to other infractions, the OCR found that Anthem failed to implement the necessary safeguards to prevent hackers, failed to carry out a security risk analysis, and lacked policies for monitoring system activities.
The Reversal of One Expensive HIPAA Violation
$4.3 Million Fine on MD Anderson (2018) THEN REVERSED in 2021
Is a reversal of a HIPAA fine even possible? Yes, but there are conditions. A successful appeal would require evidence. Check out this interesting example of a hospital reversing an issued financial penalty.
The University of Texas MD Anderson Cancer Center (MD Anderson) was issued a financial penalty of $4.3 million in 2018 based on the OCR's investigations into data breaches involving three unencrypted items reported by the hospital between 2013 and 2014.
The financial penalty was overturned in 2021 when the 5th U.S. Circuit Court of Appeals concluded that M.D. Anderson did implement various safeguards to encrypt information for HIPAA Compliance, even though some employees didn't correctly operate the security mechanisms.
"After M.D. Anderson filed its petition for review, HHS conceded that it could not defend a fine in excess of $450,000. The Government's decision was arbitrary, capricious, and contrary to law." (Read the full petition here: https://www.ca5.uscourts.gov/opinions/pub/19/19-60226-CV0.pdf)
Tip for HIPAA Compliance: Establishing cybersecurity safeguards through policies and procedures is long-term protection. Without a process of clear documentation, the default position for HHS investigations will be holding an organization responsible for any liabilities discovered. However, the right evidence can shift that liability away from the organization that demonstrates a good-faith effort.
HIPAA Compliance is a continual process of corrective action
An organization's security is only as strong as its most vulnerable user.
It's a dangerous myth to believe that cybersecurity is "not my job," "not in my purview," or even "cybersecurity is only an IT department issue." Avoid too much reliance on any one security software that might lower your personal guard. Most importantly, slow down to ensure common sense prevention and security.
Send a Phishing Email For Training, Educational Purposes
Imagine your IT department designs a test email to mimic a fraudulent phishing email in the following ways:
The phishing email test would appear to be sent from a typical vendor or provider but with one letter misspelled. (An overly simplistic example would be an email sent from "Arnazon.com" with "R-N" letters rather than "Amazon.com" with the correct "M" letter.)
The phishing email test would prompt your employee to reset their user password through the email link.
As your coworkers receive these one-to-one tests in their employee inboxes, you watch the results come in to reveal who opened/clicked the link or who reported the suspicious email.
Would you pass or take the bait? If you have any uncertainty about how you or any of your colleagues might perform, then perhaps this phishing test could prove valuable and instructive for your organization in a controlled scenario.
HIPAA Compliance Resources
Our dedicated compliance advisors recommend preventative measures, including workforce training and cybersecurity awareness. Preventing unauthorized access of healthcare IT systems requires organization-wide "buy in" from the CEO to the front desk reception.
Healthcare Compliance Pros recommends the following resources so everyone can be vigilant and help maintain HIPAA compliance.
- HIPAA Threat Matrix: Determine where and how PHI is stored, accessed, or transmitted for safeguards appropriate for your organization's needs.
- HIPAA Security Risk Analysis: The SRA process includes tons of safeguards to protect sensitive information along the way.
- Cyber Insurance Policy: Connect with a compliance advisor, so we can help you find a broker to get your organization coverage.
- LMS: Begin training your workforce online, anytime, with over 130+ courses in our learning management software.
- HHS 405(d) Knowledge On Demand: Access an excellent training resource designed for all skill levels and in different languages.
In conclusion, Cybersecurity is a shared responsibility across an entire organization. Cybersecurity succeeds within environments where vigilance and responsibility is distributed to each team member through awareness and workforce training.