Share this article on:
The Department of Health and Human Services’ Office for Civil Rights has closed the investigation into the 2015 Bizmatics data breach. The breach, which was discovered in late 2015, affected many of the company’s clients.
The malware was discovered to have been installed on a server in early 2015. The server was used to house the company’s PrognoCIS EMR database. At least 300,000 patients were impacted and potentially had their PHI exposed as a result of a malware infection.
A thorough breach investigation was conducted but Bizmatics was unable to confirm whether data were actually viewed or copied by the malicious actor responsible for installing the malware. No public breach announcement was issued by Bizmatics, although all affected clients were notified if the PHI of their patients was potentially accessed.
The Office for Civil Rights conducted an investigation into the breach, but it would appear that the case has now been closed with no action against the business associate deemed necessary.
When OCR conducts data breach investigations, investigators assess the company to determine whether HIPAA Rules have been violated. OCR also looks at the actions taken following the discovery of the breach to ensure that access to data has been blocked and any security vulnerabilities have been adequately addressed.
When the actions of the covered entity have been insufficient or when serious breaches of HIPAA Rules are discovered to have occurred, a financial penalty may be deemed to be appropriate. However, oftentimes the actions taken by the covered entity to mitigate risk and prevent further PHI breaches are deemed to be sufficient. This appears to be the case with Bizmatics Inc.
Following the discovery of the malware, Bizmatics removed the malicious software and conducted a comprehensive scan of its systems to determine whether any traces of malware or backdoors remained. A risk assessment was performed, anti-virus and anti-malware software were upgraded, as were computer hardware and operating systems. Bizmatics also changed its firewall configurations and server and account passwords.
Additionally, Bizmatics improved security by setting stricter password policies and purchased and installed a new system for monitoring network traffic to identify any future network intrusions promptly. OCR received written assurances that these measures had been implemented. OCR deemed the action taken by the business associate to be sufficient.
While Bizmatics appears to be in the clear, that does not mean that there will be no financial penalties issued in response to the breach. All covered entities that submitted breach notices to OCR regarding the Bizmatics breach are likely to be investigated.
Avoiding HIPAA Penalties following a PHI Breach
Covered entities and their business associates can expect to be attacked by cybercriminals. It is not possible to totally mitigate risk and reduce the risk of a PHI breach to zero. It is therefore inevitable that data breaches will occur from time to time.
Covered entities must implement a number of physical, administrative, and technical safeguards to reduce the risk of PHI exposure to a reasonable level. A breach response plan must be developed and that plan executed promptly in the event of a security breach. Following a potential breach of PHI, all reasonable efforts should be made to notify the parties affected and mitigations should be put in place to reduce the risk to breach victims. Security must also be improved to prevent future breaches of PHI. Provided that these steps are taken it is possible to avoid financial penalties.