The Children's Hospital Colorado was hit with a more than $500,000 fine from the U.S. Department of Health and Human Services for violating privacy and security rules stemming from a data breach. The hospital denies the violations occurred.
The HHS investigated Children's after two phishing attacks in 2017 and 2020 breached email accounts with more than 10,000 people's protected health information.
The HHS said, in a press release, that the first reported breach compromised an email account containing the information of 3,370 individuals. The department found it happened “because multi-factor authentication was disabled on an email account.”
The second breach involved three emails with 10,840 individuals’ private health information. The HHS said it occurred in part, “when workforce members gave permission to unknown third parties to access their email accounts.”
The release goes on to say HHS found violations of the HIPAA Privacy Rule for failure to train workforce members” on the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule, and its Security Rule requirement to conduct a “compliant risk analysis to determine the potential risks and vulnerabilities to electronic health information in its systems.”
Children's Colorado did not appeal the fine
In an email from a hospital spokesperson, Children’s Colorado said in September 2017 it filed a HIPAA breach notice with Health and Human Services and its Office for Civil Rights. She said the hospital cooperated with and was transparent with the office, while they conducted an investigation about the breach.
Children’s Colorado did not appeal the penalty, “given the cost and resources necessary for such an effort,” she wrote. But Children’s Colorado refused to settle with HHS’s Office of Civil Rights “as we continue to believe violations did not occur.”
She said Children’s Colorado made significant efforts to negotiate a reasonable settlement.
“We are extremely disappointed in their final decision not to resolve this without penalties, despite our cooperation, transparency, and the lack of evidence showing any access to protected health information in the incident.”
She said there is no evidence that patients' health information was actually accessed. She also said that given how long it has taken HHS to resolve this investigation, “patients do not need to be concerned.”
However, she wrote, that if patients do have concerns about their protected health information, they can contact [email protected].
