The US Department of Health and Human Services entered into a resolution agreement with an Arizona non-profit hospital system for alleged violations of the HIPAA Security Rule. In 2016, the hospital system discovered that electronic protected health information of more than 2.8 million individuals was improperly accessed. The PHI included patient names, dates of birth, Social Security Numbers, clinical health details, lab results, among other information. The health system voluntarily submitted a breach notification report to HHS.
The government investigation determined that the hospital system did not perform an accurate and thorough risk analysis of the confidentiality, integrity, and availability of ePHI, did not have procedures to review records of system activity and did not verify that entities accessing ePHI were who they claimed to be.
The Corrective Action Plan between the hospital system and HHS requires payment of $1.25 million and following a corrective action plan requiring risk management. More information about the breach and settlement agreement may be accessed by clicking here.
