Metro Community Provider Network, a health center located in Colorado, entered into a settlement agreement with the Department of Health and Human Services over alleged violations of HIPAA.
A hacker accessed Network employees’ email accounts after an employee responded to a phishing email. Protected Health Information of approximately 3,200 people was compromised. The Network took corrective action and reported the incident to HHS in 2012.
HHS investigated the incident and determined that the Network had not conducted a risk assessment or implemented risk management plans. It also determined that its subsequent actions did not meet HIPAA Security Rule requirements.
As part of the corrective action plan, the Network must conduct a risk analysis, implement a risk management plan, update its Security Rule training materials and revise its policies and procedures. It also has to pay a $400,000 settlement amount.