Federally qualified health center settles $400,000 HIPAA breach
April 21, 2017
— The federal government in April settled a potential violation of the Health Insurance Portability and Accountability Act with a Denver-area federally qualified health center that was reportedly the victim of a 2012 phishing attack.
Metro Community Provider Network agreed to pay $400,000 and implement a corrective action plan to resolve potential noncompliance with HIPAA Privacy and Security Rules, according to the U.S. Department of Health and Human Services Office for Civil Rights.
Metro Community Provider Network provides primary medical care, dental care, pharmacy, social work and behavioral health care services throughout the greater Denver area to approximately 43,000 patients per year.
On Jan. 27, 2012, the center filed a breach report with the Office of Civil Rights indicating hackers had accessed employees' email accounts and obtained 3,200 individuals' electronic protected health information.
The Office of Civil Rights’ investigation revealed that the center failed to conduct a risk analysis until mid-February 2012; prior to the breach, the center had not conducted a risk analysis to assess risks and vulnerabilities and had not implemented any risk management plans to address them.
The Office of Civil Rights’ guidance on the Security Rule may be found at hhs.gov/hipaa/for-professionals/security/guidance/index.html
To help dentists implement a step-by-step HIPAA compliance program, the ADA offers the ADA Complete HIPAA Compliance Kit (J598). ADA members can save 15 percent on the HIPAA kit and all ADA Catalog products with promo code 17125 until June 30. To order, visit adacatalog.org
or call 1-800-947-4746.