Phishing incident lands $400,000 HIPAA fine for Denver FQHC

Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) in Denver, agreed to a $400,000 HIPAA breach settlement and corrective action plan, the Office for Civil Rights (OCR) announced April 12.

MCPN detected the breach in December 2011. A hacker used a phishing email to gain access to employees’ email accounts and used their credentials to access the protected health information (PHI) of 3,200 individuals, OCR said. MCPN reported the incident to OCR in January 2012, but did not conduct a risk analysis until February 2012. OCR’s investigation revealed that MCPN had not conducted risk analyses prior to the breach. Therefore, the organization did not have a risk management plan or policies and procedures to prevent, detect, contain, and correct security violations, the corrective action plan said.

OCR’s statement suggests that the fine could have been much higher. However, the agency said it took into consideration MCPN’s status as an FQHC. FQHCs are safety net providers that furnish primarily outpatient services to vulnerable populations or outpatient facilities operated by a tribe, tribal organization, or urban Indian organization, according to CMS. MCPN furnishes primary medical care, dental care, pharmacies, social work, and behavioral health services to roughly 43,000 patients per year, most of whom are at or below the poverty level, the corrective action plan said.

Phishing emails are a major source of malware and a common method hackers use to obtain employees’ login credentials. For more information, see the September 2016 issue of Briefings on HIPAA, which is included in Platinum Revenue Cycle Advisor subscriptions.