A recent settlement with the OCR involved healthcare files that were accessible through search engines. The health system had purchased a server that, unbeknownst to it, featured a default setting that allowed anyone to access sensitive medical information online.

St. Joseph Health (SJH) in Irvine, CA, has agreed to settle potential HIPAA violations related to how files containing ePHI were publicly accessible through search engines from 2011 until 2012. SJH agreed to pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan. The health system is comprised of 14 acute care hospitals, plus home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics, and physician organizations throughout California, as well as in parts of Texas and New Mexico.

SJH self-reported the HIPAA violations on Feb. 14, 2012, alerting OCR that certain files it created for its participation in the meaningful use program, which contained ePHI, had been publicly accessible online from Feb. 1, 2011, until Feb. 13, 2012, via Google and possibly other search engines. The health system traced the breach to a server SJH had purchased to store the meaningful use files, realizing too late that the server contained a file-sharing application with default settings that allowed internet access with no restrictions.

The file-sharing application allowed unrestricted access to files containing the ePHI of 31,800 patients, including names, health statuses, diagnoses, and demographic information. OCR’s investigation determined that the health system was at fault for not inspecting the server and detecting the open door before ePHI was placed on it.

“Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule,” OCR reported when announcing the settlement.

In addition to the monetary settlement, SJH agreed to a corrective action plan that requires it to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. The settlement agreement and corrective action plan are available at: http://bit.ly/2dqIWhe.