A $548,265 civil monetary penalty against Children’s Hospital Colorado was announced by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).
OCR conducted an investigation concerning violations of the HIPAA Privacy and Security Rules following receipt of breach reports in 2017 and 2020, relating to email phishing and cyberattacks .
OCR’s investigation found:
- Breaches which reported a phishing attack that compromised an email account containing 3,370 individuals’ PHI.
- Another after three email accounts were breached, containing 10,840 individuals’ PHI.
- The first reported breach happened because multi-factor authentication was disabled on an email account.
- The second breaches occurred, in part, when workforce members gave permission to unknown third parties to access their email accounts.
- Failure to train workforce members on the HIPAA Privacy Rule and the HIPAA Security Rule requirement to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems.
