St. Joseph Health pays $2.14 million for patient information breach

St. Joseph Health (SJH) will be paying a settlement of $2,140,500 for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

SJH, based in Irvine, California, reported that electronic protected health information (ePHI) was mistakenly made accessible to the public through search engines such as Google from Feb. 1 to Feb. 13, 2012. On Feb. 14, 2012, SJH reported the breach to the HHS Office for Civil Rights (OCR). The breach included 31,800 documents with information including patient names, health statuses, diagnoses and demographic information.

Originally created for the participation in a meaningful use program, the documents were stored on a server SJH had purchased. But the server had a file application default setting that gives anyone access to the documents through a search engine, and SJH failed to change this default which resulted in the breach.

The settlement lists the violations as

  1. A breach of patient information of 31,800 patients.
  2. SJH failed to test the newly purchased server to ensure the protection of documents.
  3. Installment was rushed and done without risk analysis, which is required by HIPAA.

On top of paying the settlement, SJH will implement a corrective action plan to run an enterprise-wide risk analysis, install a risk management plan and train staff on polices and procedures for protecting patient documents.

“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” said OCR Director Jocelyn Samuels. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”