OCR Phishing Investigation Uncovers HIPAA Training Failure; Children’s Hospital Colorado Fined $548,265
The HHS’ Office for Civil Rights (OCR) has announced another civil monetary penalty for a HIPAA-regulated entity to address non-compliance with the HIPAA Rules, its 7th of the year and the 15th enforcement action of 2024 to result in a financial penalty.
The latest fine was imposed on Children’s Hospital Colorado Health System, a not-for-profit provider of healthcare services for children and young individuals at its main healthcare facility in Aurora, CO, and 22 other facilities in the Anschutz Medical Campus and throughout the State of Colorado. Children’s Hospital Colorado also has agreements with nursing schools and provides clinical opportunities for nursing students.
On July 11, 2017, an unauthorized individual accessed a physician’s email account following a response to a phishing email. The email account contained the electronic protected health information (ePHI) of 3,370 patients. The email account was previously protected with 2-factor authentication; however, it was deactivated by the IT help desk and was not reactivated. The breach was reported to OCR, and an investigation was launched to assess compliance with the HIPAA Rules, but no action was taken against Children’s Hospital Colorado at that time.
Three years later, between April 6, 2020, and April 13, 2020, an unauthorized third party gained access to the email accounts of three employees. According to the breach notice submitted to OCR on July 27, 2020, the compromised accounts contained the ePHI of 2,553 individuals. The OCR breach portal still shows the breach involved 2,553 individuals’ ePHI.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR investigated the second breach and determined that the ePHI of 10,840 individuals had been compromised, including names, dates of services, medical record numbers, zip codes, medical diagnoses, social security numbers, and driver’s license numbers. The second attack involved access to an employee’s email account on three occasions by an unauthorized individual with a German IP address, and two further accounts were accessed on multiple occasions over the same period by an unauthorized individual with a U.S. IP address. The accounts were protected with multi-factor authentication (MFA); however, MFA was bypassed as the employees accepted multi-factor authentication requests they had not initiated, thereby providing the threat actor with access to their accounts.
During the investigation, OCR learned that between March 1, 2018, and November 30, 2018, Children’s Hospital Colorado had an “Agreement for Student Education” with 26 universities and colleges that involved nursing students being placed on clinical rotation at its facilities. The nursing students had access to PHI during those rotations. The agreements for student education stated that students would be provided with an orientation, which included administrative policies and standards relating to confidentiality laws, rules, regulations, and procedures with respect to patient records, and one of the agreements specifically stated that a nursing student was part of its workforce as defined by the HIPAA Privacy Regulations. Despite being provided with access to PHI, HIPAA Privacy Rule training was not provided to nursing students. The HIPAA Journal is the only HIPAA training vendor with HIPAA training for students.
Children’s Hospital Colorado informed OCR that between January 1, 2013, and December 31, 2018, 6,666 members of the workforce had not been provided with HIPAA Privacy Rule training, including 3,495 nursing students. Its HIPAA Privacy Rule training policies and procedures were not finalized until September 30, 2018, and HIPAA Privacy Rule training for nursing students only started being provided on November 30, 2018.
OCR determined there had been impermissible disclosure of the ePHI of 10,840 individuals and during the investigation, Children’s Hospital Colorado had failed to conduct a HIPAA-compliant risk analysis until February 5, 2021. Risk analyses had been conducted prior to that date, but they were not accurate and thorough, as they did not include all locations and systems that created, received, maintained, and/or transmitted ePHI.
Children’s Hospital Colorado was offered the opportunity to settle the alleged violations informally; however, an informal resolution was not negotiated. Children’s Hospital Colorado refused to settle with OCR as the hospital maintained there had been no HIPAA violations and there was no evidence that any patient data had been accessed. Due to the cost and resources required to appeal the penalty, the decision was made to pay the civil monetary penalty. OCR imposed a civil monetary penalty of $548,265 to resolve the alleged HIPAA Privacy and Security Rule violations.
