Sun Sentinel Palm Beach Edition
Hospital pays $5.5 million in settlement
Memorial Healthcare Systems has agreed to pay a $5.5 million settlement to the U.S. Department of Health and Human Services over potential HIPAA violations.
The security breach was discovered when Memorial launched an internal investigation in 2012 after two hospital employees stole patients’ personal information to make money filing phony tax returns, said Kerting Baldwin, a spokeswoman at Memorial Healthcare System.
During its investigation, Memorial discovered that individuals who worked in affiliated physicians’ offices had inappropriately accessed patient information using legitimate login credentials of employees in those offices, Baldwin said.
Memorial reported to the Department of Health and Human Services’ Office of Civil Rights that the protected health information of 115,143 patients had been accessed in the security breach, according to a news release by the U.S. Department of Health and Human Services. The information included people’s names, birthdates and Social Security numbers.
“Memorial worked closely with law en-
forcement to assist in their investigations, which ultimately led to federal prosecution and conviction of the criminals,” Baldwin said.
Memorial also sent letters to patients whose identities might have been exposed and provided them with free credit monitoring.
The U.S. Department of Health and Human Services claims Memorial failed to implement procedures with respect to reviewing, modifying and terminating users’ right of access, as required by the HIPAA rules. The agency said Memorial also failed to regularly review records of information system activity.
Baldwin said Memorial has since implemented new technologies designed to monitor use and access of patient data, further restricted access to protect patient information, and enacted new policies and procedures to enhance password security.
Memorial also contracted an independent technology firm to conduct network audits and scans and hired IBM to provide assessment, response and monitoring services.
“While Memorial strongly disagrees with many of OCR’s allegations, has admitted no liability and has chosen to settle this case, it nevertheless agrees with the importance OCR places on maintaining the security of patient information,” Baldwin said in a statement.
As part of the settlement, Memorial agreed to implement a robust corrective action plan.
“Memorial takes its responsibility to safeguard its patients’ confidential information very seriously,” Baldwin said. “We will continue to vigorously monitor access and use of patient information and maintain rigorous cybersecurity and internal safeguards.”