Attorneys, app developers, and consultancies take note: lawyers and consultants can be the subjects of massive HIPAA fines for health information security failures, as shown by the $2.3 million penalty proceeding settlement announced by the Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) on September 23, 2020. As the firm learned the hard way, a Virtual Private Network (VPN) alone did not shield them from either the initial attack or the ensuing penalty.
The firm, CHSPSC, LLC, provides legal, accounting, human resources, and healthcare operations services to hospitals and clinics indirectly owned by Community Health Systems, Inc. (CHS). To do this, the firm requires access to identifiable health information of CHS patients. As noted in the OCR Resolution Agreement, the firm was notified by the FBI on April 18, 2014, that hackers had obtained administrators’ credentials and remotely accessed patient information through the firm’s VPN. Yet, the attacker’s activity continued through August 2014. In total, the information of over 6 million people was exfiltrated (taken from the system), including Social Security Numbers and dates of birth.
OCR alleged in its penalty proceeding that CHSPSC, LLC violated the HIPAA Security Rule by failing to take reasonable steps to prevent the attack and to respond to it appropriately when notified by the FBI. Many law and accounting firms utilize VPNs as a safeguard for sensitive information and data protected by laws and regulations. However, VPNs must also be protected because, as occurred here, they can still be used to obtain access to information systems, permitting unauthorized users to access confidential data.
The Resolution Agreement for the HIPAA penalty proceeding comprised a settlement of the OCR penalty proceeding with a monetary fine of $2.3 million and included a two-year Corrective Action Plan, in which CHSPSC, LLC is required to submit to HHS an internal monitoring plan for controls on access to its information systems, a risk analysis, and risk management plan revisions to its security policies and procedures. These activities will require expense well in excess of the $2.3 million penalty.
This settlement shows that OCR will vigorously enforce HIPAA provisions against Business Associates, including law firms, accounting firms, healthcare app developers, and consultancies. These organizations should also take away from this proceeding that a VPN alone will not offer sufficient protection against cyber criminals, nor will it alone satisfy the organization’s security compliance requirements.