St. Joseph Health (SJH), a nonprofit healthcare delivery system that operates in California, Texas and New Mexico, entered into a $2,140,500 settlement with the Office for Civil Rights for HIPAA violations. SJH reported that files it created for its meaningful use program were accessible through the Internet from February 1, 2011 through February 13, 2012. Files with ePHI could be accessed through a standard search engine search.
The HIPAA violation resulted from a server that SJH used to store files. The server had a file-sharing application that had a default setting allowing anyone with an Internet connection to access the files. The Office of Civil Rights determined that SJH failed to examine and evaluate how the server was working, and did not perform a proper risk analysis.
SJS agreed to a monetary fine and a corrective action plan.
Posted by BAS - 17 November, 2016
