Healthcare Breach and $400,000 Penalty Result From Poor Risk Assessments

Breaches are preventable failures in risk management. A healthcare breach at Metro Community Provider Network (MCPN), a federally approved organization, led to a $400,000 penalty and a mandated correction plan. The Office for Civil Rights (OCR) levied the penalty; the cause of the breach has been cited as a failure to conduct “a timely and comprehensive risk assessment,” according to Information Security Media Group.

As we’ve said before, an old proverb – An ounce of prevention is worth a pound of cure – is a fitting rule in risk management. Had MCPN invested in integrated risk management activities, it would have prevented the breach altogether. Instead, it’s financing corrective action (the “cure”) in a response to a phishing attack, must pay $400,000 for noncompliance, and will likely suffer major damage to its reputation.

What Happened?

In January 2012, MCPN filed a healthcare breach report with OCR. A hacker reportedly “accessed employee’s email accounts and obtained 3,200 individuals’ electronic protected health information through a phishing incident.” It wasn’t until April of this year, however, that the OCR revealed it has signed a resolution agreement with MCPN following the healthcare breach.

This is particularly calamitous for a healthcare organization, which the public trusts to safeguard sensitive information. Poor governance affects all of us and is never excusable. It’s negligence, and a company that allows a scandal to unfold through negligence is not just being unjust, it’s violating its moral obligation to its stakeholders and community.

As described in another of our blog posts, “Use ERM to Defend Against Ransomware and Data Breaches,” phishing attacks target individual employees, often masquerading as trustworthy emails.

MCPN failed to conduct an enterprise risk analysis until a month after reporting the breach. Even when the organization did start assessing risk, however, those efforts were not deemed sufficient to meet requirements in the HIPAA security rule.

Failure to perform risk management best practices (a minimal investment compared to the fallout of a breach) led directly to the cybersecurity incident, compliance issues, and significant negative media exposure.

Companies in Every Industry Can Learn From This Healthcare Breach

As is the case with many incidents, this healthcare breach is fundamentally not a cybersecurity issue, nor a compliance issue. It’s a governance issue. Strong governance is crucial to effective risk management, and it’s also the framework for the “ounce of prevention” that makes “a pound of cure” obsolete

MCPN should have started performing root-cause risk assessments well before it did. Its failure to identify and assess risks in its ePHI environment prevented the organization from implementing appropriate mitigation activities/controls.

Specifically, the $400,000 restitution is a sign that breaches/incidents are now considered “a symptom of larger issues that indicate general failures to have appropriate safeguards in place.”