Memorial Healthcare Systems in Florida was fined $5.5 million for allowing the information of about 115,000 patients to be accessed “impermissibly”.
Memorial, which operates 6 hospitals, an urgent care center, a nursing home and other healthcare facilities in South Florida, reported the breach in 2012 – 5 years ago – after it discovered the problem. Exactly why it should take Health and Human Services 5 years to complete an investigation is a mystery to me.
The information taken includes names, birth dates and social security numbers.
Apparently, two employees who worked in an affiliated physicians’ office accessed the hospital’s systems for a year, stole patient records of over 100,000 patients and used that data to file fraudulent tax returns.
After discovering that employees had been stealing data for a year, Memorial worked with federal law enforcement which ultimately led to the conviction of the people who filed the false tax returns using that stolen data.
Apparently, even though Memorial had been told for the six years prior to discovering the breach that reviewing employee data access records was a risk, they still did not review those records.
As part of the settlement, Memorial denied any guilt. It seems to me that, if they had been told for six years that something was a risk and chose not to deal with it, they have some degree of guilt. Not admitting guilt is fairly typical in these deals so as to avoid giving plaintiffs who might be suing them any additional leverage.
It appears that the credentials used to access these records were legitimate, but it is unclear to me how the physician’s office staff got access to them.
This brings up the bigger issue of logging and auditing – something that affects all businesses; they were not using credentials assigned to them when they stole the data.
We are seeing more regulators requiring businesses to maintain more comprehensive audit logs and processes. Besides the HIPAA regulators, DoD and some state regulators have issued new rules or opinions.
But in addition to creating audit logs, you also need to review them and generate alerts based on that review. For a business like Memorial, that likely requires reviewing millions or even tens of millions of audit records. That requires both software and people and those require money. That is likely at the root of the issue. After they discovered the breach, they did implement a review process, but apparently, that decision not to review data access records cost them a $5.5 million fine as well has having to implement a multi year corrective action plan with the HIPAA regulator.
This represents a great opportunity for businesses in general to review their auditing processes – what audit data are we collecting, does that audit data meet the regulatory requirements, how long do we store it for and how do we analyze it – to verify that it is appropriate for both compliance reasons and business requirements.