On December 4, 2024, HHS announced an agreement with Gulf Coast Pain Consultants calling for payment of $1.1 million in civil penalties due to alleged lack of compliance with HIPAA’s security requirements.  Two days later, HHS announced an agreement with Children’s Hospital Colorado for payment in excess of $500,000 for some HIPAA security issues that arose from multifactor authentication missteps that led to unauthorized access.

Starting with the Children’s Hospital matter, in 2017, this not-for-profit hospital reported to HHS that a physician’s email account had been accessed without authorization.  The investigation revealed that the hospital’s help desk had turned off the physician’s multi-factor authentication (MFA) and neglected to reactivate it.  As a result, the threat actor acquired protected health information of more than 3,300 children.  In 2020, Children’s Hospital reported another breach, this time involving three email accounts of student nurses, who had accepted MFA access requests even though they had not initiated them.  As a result, the threat actor acquired protected health information on more than 10,000 individuals.  (The hospital admitted it had not provided training to the student nurses.)

HHS found that the hospital had

  • Failed to train its workforce;
  • Impermissibly disclosed protected health information; and
  • Failed to conduct a thorough and accurate risk assessment.  During the investigation the hospital proposed a risk assessment, which HHS did not find adequate, so the hospital sought the agency’s assistance in revising the risk assessment.

HHS’ imposition of monetary penalties is limited to the type of violation as well as an annual cap for the type of violation.  For example, if the violation is one where it was not known (say, a zero-day vulnerability), the fine is $100/violation (indexed to inflation), with an annual cap of $25,000.  If the violation was due to reasonable cause and not willful neglect, the fine rises to $1,000/violation (currently, $1,379), with an annual cap of $100,000.  The amounts increase for will neglect to $10,000/violation with an annual cap of $250,000, if the violation is cured within 30 days; and $50,000/violation with an annual cap of $1,500,000 if the willful neglect is not cured within 30 days.

HHS also looks at five factors with respect to the amount of the fine:

1.         The nature and extent of the violation;

2.         The nature and extent of the harm;

3.         The organization’s history of compliance/violations;

4.         The organization’s financial condition; and

5.         As the interests of justice may require.

In the Children’s Hospital matter, HHS found “multiple, longstanding proposed violations,” but because the hospital addressed the violations during the course of the investigation, these were neither an aggravating nor a mitigating factor.  HHS issued civil monetary penalties in the amount of $100,000 for the failure to provide training; $100,000 for the impermissible disclosure of PHI; and $348,265 relating to the risk assessment (3 years at $100,000 + 35 days  at $1,379/day).  The total amount of the settlement was $548,265.

In the second matter, HHS applied a similar analysis to a very different set of facts.  Gulf Coast Pain Consultants had hired a contractor in 2018, and provided the contractor with access to its systems.  The contractor’s services stopped in August of 2018.  Between September of 2018 and February of 2019, someone using that contractor’s credentials obtained access to protected health information of more than 34,000 individuals and then allegedly used that information to file 6,500 false Medicare claims.  (The criminal proceeding against the contractor resulted in a not guilty verdict.)

Gulf Coast notified HHS of the breach and HHS investigated.  In this instance, the claimed violations by Gulf Coast and civil penalties were more serious, alleging that the company:

Failed to conduct an adequate  risk assessment                                           $500,000

Did not regularly review information systems activity                                    $300,000

Had no procedures to terminate systems access                                          $300,000

Had no procedure for reviewing and changing user access                          $300,000

The total amount of the civil penalty was decreased to $1,100,000 due to HHS giving Gulf Coast a credit for its recognized [improved] security practices.  Note that this breach was the first reported by Gulf Coast, but HHS found that the “history of compliance” factor was neutral (neither aggravating nor mitigating).

Our Take

The Colorado Children’s matter demonstrates how even small security missteps can lead to security breaches.  If, for example, users in your organization are reporting multiple MFA access requests when they did not initiate the requests, security should check to see if these requests are originating outside the organization.  Obviously, users should be advised NOT to permit the access and instead report the attempt to the help desk.  Mistakes with MFA tend to be a hot button issue for most regulators, including HHS, and data security programs should take extra care that MFA is properly configured and IT and employees are properly trained.

Both organizations were penalized for not having adequate risk assessments.  Having a current risk assessment would be a very good start to 2025.