St. Joseph Health pays $2.14 million for patient information breach

St. Joseph Health (SJH) will be paying a settlement of $2,140,500 for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

SJH, based in Irvine, California, reported that electronic protected health information (ePHI) was mistakenly made accessible to the public through search engines such as Google from Feb. 1 to Feb. 13, 2012. On Feb. 14, 2012, SJH reported the breach to the HHS Office for Civil Rights (OCR). The breach included 31,800 documents with information including patient names, health statuses, diagnoses and demographic information.

Originally created for the participation in a meaningful use program, the documents were stored on a server SJH had purchased. But the server had a file application default setting that gives anyone access to the documents through a search engine, and SJH failed to change this default which resulted in the breach.

The settlement lists the violations as

  1. A breach of patient information of 31,800 patients.
  2. SJH failed to test the newly purchased server to ensure the protection of documents.
  3. Installment was rushed and done without risk analysis, which is required by HIPAA.

On top of paying the settlement, SJH will implement a corrective action plan to run an enterprise-wide risk analysis, install a risk management plan and train staff on polices and procedures for protecting patient documents.

“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” said OCR Director Jocelyn Samuels. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”

""
Cara Livernois, News Writer

Cara joined TriMed Media in 2016 and is currently a Senior Writer for Clinical Innovation & Technology. Originating from Detroit, Michigan, she holds a Bachelors in Health Communications from Grand Valley State University.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.