Published October 15, 2020

Systemic Noncompliance — It’s Not Just About Breaches Anymore

The Office for Civil Rights (OCR) is paying close attention to the means by which organizations protect themselves and their patients’ health information, particularly in light of increased technology use for telework and telemedicine during the pandemic. To put it mildly, it’s not just about breaches anymore. As Roger Severino, OCR Director, stated, “The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules…is inexcusable.”

Within less than a week in September 2020, the OCR announced three settlements—totaling $10.65 million—wherein systemic noncompliance with the HIPAA Privacy and Security Rules and a failure to adequately protect patient information led to breaches affecting millions of people. To put things in perspective, since 2003, the OCR has only settled or imposed a civil money penalty in 77 cases. These three settlements occurring within just the last month represent 3.9% of total settlements, and account for 9.07% of the total amount collected by the OCR to date.

The OCR has made it clear it will not tolerate noncompliance with the Privacy and Security Rules, especially when it comes to healthcare organizations. The OCR’s concerns have recently been fueled by the advanced persistent threat (APT) groups that are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations. The OCR’s position is clear: “no excuses.” As Director Severino stated in response to one of the OCR’s most recent settlements, “If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will.” The same holds true for smaller entities.

Premera Blue Cross – $6.85 Million

  • Cyberattack using a phishing email to gain access to IT systems
  • Undetected for nine months, resulting in the disclosure of more than 10.4 million individuals’ PHI
  • Investigation findings included failure to conduct enterprise-wide risk analysis and to implement risk management and audit controls

CHSPSC, LLC – $2.3 Million

  • Notified by FBI of cyberhacking group’s persistent threat to information system
  • For almost six months after receipt of FBI notice, hackers continued to access and exfiltrate PHI of 6,121,158 individuals using compromised administrative credentials to remotely access the system
  • Investigation findings included failure to conduct a risk analysis and implement information system activity reviews, security incident procedures, and access controls

Athens Orthopedic Clinic PA – $1.5 Million

  • Patient record database posted online for sale by a hacker using vendor’s credentials to obtain access
  • 208,557 individuals affected
  • Investigation findings included failure to conduct risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements, and provide HIPAA training

Ongoing risk management is an essential part of protecting patient data and HIPAA compliance. PYA’s Overwatch Program offers a customizable approach for managing IT risks and is designed to identify current security risks, while continuously maturing IT practices and procedures. Led by a team of compliance professionals with a deep understanding of the entire healthcare delivery system and its relationship with technology, Overwatch’s comprehensive platform addresses all elements of the IT infrastructure process, data governance, and risk management.

If you would like assistance with securing your technology and evaluating your risks to ensure compliance, or would like to learn more about Overwatch, contact a PYA executive below at (800) 270-9629.

About the Authors

Interested in Learning More?

Sign Up for Our Insights, Including COVID-19 Bulletins!



Select Your Subscriptions