$750,000 HIPAA Settlement Started With a Phishing Email


Today, December 14, 2015, OCR announced that a settlement was agreed upon with The University of Washington Medicine (UMW) for failing to comply with the HIPAA Security Rule because the organization did not implement policies and procedures to prevent, detect, contain, and correct information security violations. The settlement includes a $750,000 fine, a corrective action plan, and the requirement to provide annual reports for up to three years on UWM’s efforts in regards to HIPAA compliance.

OCR initiated its investigation of UWM after receiving a breach report in November 2013, which indicated that the electronic protected health information (e-PHI) of approximately 90,000 individuals was accessed after an employee was spoofed by a phishing email. The employee clicked and downloaded an email attachment that contained malicious malware. The malware then compromised the organization’s IT system, affecting the confidentiality of approximately 76,000 patients involving a combination of patient names, medical record numbers, dates of service, and/or charges or bill balances, as well as approximately another 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, social security numbers, insurance identification or Medicare numbers.

This is the first of its kind settlement that grew out of an review from a phishing email. A number of large breach incidents reported to OCR over the last several years were caused by malware infiltrating information systems after introduction by a workforce member opening a malicious email. We expect that the industry will continue to see these incidents in 2016 and beyond as the phishing threat continues to increase.

During the investigation, OCR found that UWM’s security policies required its affiliated entities and partners to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the Security Rule. However, UWM did not ensure its affiliated entities were properly conducting risk assessments and appropriately responding to the risks and vulnerabilities in their respective environments. The findings of OCR’s investigation underscores the recurring theme in almost every HIPAA settlement: HHS views the enterprise information security risk analysis as the keystone to compliance with the HIPAA Security Rule.

“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said OCR Director Jocelyn Samuels.  “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”

Don’t become the next victim of a phishing attack. Employee training and awareness can help reduce the risk of your organization being phished. Click here to learn more about CynergisTek’s custom phishing training assessments.

Click here to read the entire resolution agreement and corrective action plan.