Memorial Healthcare System (MHS) entered into a settlement of alleged violations of the HIPAA privacy and security rules. The settlement required MHS to pay $5.5 million.
MHS is a nonprofit corporation that operates hospitals, urgent care and other health care facilities in South Florida. HHS investigated MHS after MHS reported that protected health information of more than 115,000 individuals was improperly accessed by employees and potentially disclosed to physician office staff. The information included name, date of birth and Social Security number. The investigation showed that the login credentials of a terminated employee had been used to access the ePHI. While MHS did have policies in place to address end of access upon termination, it was determined that MHS did not actually follow the procedures and did not end access upon termination of employment. The former employee’s login credentials to access the ePHI were used from April 2011 to April 2012.