Children’s Hospital Colorado Pays $548K Penalty for HIPAA Training; Risk Analysis Failures
Children’s Hospital Colorado has been fined $548,265 by the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve violations of the HIPAA Privacy and Security Rules discovered during an investigation of a phishing incident.
The civil monetary penalty includes the impermissible disclosure of electronic protected health information (ePHI) of 10,840 individuals that occurred when an unauthorized third party (ies) accessed the email accounts of three employees in 2020; however, the penalty was substantially higher due to the discovery of a significant number of workforce members who had not been provided with HIPAA Privacy Rule training and a HIPAA-compliant risk analysis had not been conducted for several years.
OCR launched an investigation of Children’s Hospital Colorado after being notified about a phishing incident that occurred in 2017 which involved the ePHI of 3,370 patients. A physician responded to a phishing email that provided a threat actor with access to their email account. A password alone should not have been sufficient to grant access to the account, as 2-factor authentication had been implemented by Children’s Hospital Colorado. In this case, the IT support team had deactivated 2-factor authentication on the account and failed to re-activate it.
OCR received another breach report in 2020 following another phishing incident, this time involving the email accounts of 3 employees. A threat actor accessed the email account of one employee on April 6, April 12, and April 13, 2020, using a German IP address. A further two accounts were accessed via an unauthorized U.S. IP address between April 6, 2020, and April 12, 2020. The ePHi of 10,840 individuals was contained in the accounts. Two employees granted the threat actor access to their accounts when they responded to MFA prompts that they had not generated.
Children’s Hospital Colorado has agreements with nursing schools and provides clinical opportunities to nursing students which requires access to patient records. Nursing students are part of the workforce, which means they must be provided with HIPAA Privacy Rule training. OCR was informed by Children’s Hospital Colorado that nursing students were not provided with HIPAA Privacy Rule training, as its Privacy Rule training program was not finalized until September 30, 2018. Nursing students were not routinely provided with HIPAA Privacy Rule training until November 30, 2018. Children’s Hospital Colorado informed OCR that between January 1, 2013, and December 31, 2018, 6,666 members of the workforce had not been provided with HIPAA Privacy Rule training, including 3,495 nursing students.
OCR has launched an enforcement initiative on the risk analysis requirement of the HIPAA Security Rule, as it is one of the most commonly identified HIPAA violations. Children’s Hospital Colorado performed risk analyses but was not fully compliant with this HIPAA Security Rule provision as the risk analyses did not cover all locations and systems containing ePHI. On June 19, 2018, OCR provided technical assistance on the risk analysis requirement of the HIPAA Security Rule because the risk analyses did not cover all locations and systems containing ePHI. When OCR investigated the second phishing incident, Children’s Hospital Colorado confirmed that its IT security service provider, Tevora, conducted a risk analysis on February 5, 2021, which OCR determined was compliant with the HIPAA Security Rule; however, it was the first fully compliant risk analysis.
Children’s Hospital Colorado was allowed to resolve the alleged HIPAA violations informally, which would have involved a settlement – payment of an agreed penalty and the adoption of a corrective action plan. A settlement was not agreed by both parties, so a civil monetary penalty was imposed. Evidence of mitigating factors was submitted, but OCR determined they did not support a waiver of the HIPAA penalty.