Hospital Fined $240K for Records-Snooping Breach by GuardsHHS Says 23 Security Guards at Washington Hospital Accessed PHI of 419 Patients
Federal regulators have hit a Washington state-based hospital with a $240,000 HIPAA fine and correction action plan following a breach involving 23 hospital security guards who were employed by an outside firm and snooped into the electronic medical records of 419 patients.
The settlement between the Department of Health and Human Services and MultiCare Yakima Valley Memorial Hospital involves a 2016-2017 episode that occurred while the facility was still known as Virginia Mason Memorial Hospital, prior to MultiCare's ownership of the facility.
"The incident involved a third-party security firm that accessed patients' records inappropriately. MultiCare was made aware of the HHS settlement during negotiations to bring Yakima Memorial into the MultiCare health system," a MultiCare spokesperson told Information Security Media Group.
"MultiCare Yakima Memorial Hospital no longer has any relationship with the third-party security firm," the spokesperson said.
When the incident was discovered in 2017, then-Virginia Mason Memorial hospital sent letters to 419 of its past emergency room patients, alerting them of the breach, which was discovered during a routine internal audit by the entity, according to local news outlet the Yakima Herald in an April 2017 account of the incident.
The hospital's audit revealed that between October 2016 to January 2017, employees had improperly accessed those patients' records. A 2017 investigation by the hospital into the incident did not find any of the compromised patient data leaked on the dark web, according to the Yakima Herald.
HHS OCR in a statement about the settlement on Thursday said it had launched an investigation into the hospital in May 2018 after receiving a breach notification report about the incident.
The breach report said 23 security guards working in the hospital's emergency department used their login credentials to access patient medical records maintained in the organization's electronic medical record system without a job-related reason.
The patient information accessed included names, birthdates, medical record numbers, addresses, certain notes related to treatment and insurance information.
“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry," said OCR Director Melanie Fontes Rainer in a statement. "Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs.”
Corrective Action Plan
Besides paying the financial settlement, MultiCare Yakima Valley Memorial agreed to implement a corrective action plan under the resolution agreement with HHS OCR.
That plan requires the hospital to conduct a thorough analysis to determine risks and vulnerabilities to electronic protected health information, develop and implement a risk management plan to address those weaknesses, enhance its HIPAA security training program, review all relationships with vendors and third-party service providers to identify HIPAA business associates, and obtain a business associate agreement with each, if one is not already in place.
MultiCare Yakima Valley Memorial declined ISMG's request for additional information about the breach.
The settlement between HHS OCR and Yakima is the fifth HIPAA enforcement action by the agency so far in 2023. The actions add up to nearly $1.9 million in HIPAA fine collections.