Children’s Hospital Colorado fined $548K for HIPAA violations

Children’s Hospital Colorado faces a hefty penalty from the HHS OCR following multiple HIPAA violations impacting thousands of individuals. 

What happened 

On December 5, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposed a $548,265 civil monetary penalty against Children’s Hospital Colorado for multiple violations of the HIPAA Privacy Rule and Security Rules. The violations stemmed from two breaches of protected health information (PHI) reported in 2017 and 2020. The 2017 breach involved a phishing attack that compromised an email account containing the PHI of 3,370 individuals which occurred as a result of disabled multifactor authentication. 

The 2020 breaches involved unauthorized access to three email accounts containing the PHI of 10,840 individuals. The breach was caused in part by workforce members granting access to unknown third parties. OCR’s investigation revealed that the hospital failed to adequately train its workforce on the HIPAA Privacy Rule and did not conduct a risk analysis compliant with the HIPAA Security Rule to address vulnerabilities to electronic PHI (ePHI). In June 2024, OCR issued a Notice of Proposed Determination, which Children’s Hospital Colorado did not contest. 

What was said 

According to OCR Director Melanie Fontes Rainer, “Email continues to be a very common way for cyberattackers to enter health information systems and jeopardize privacy and security. Healthcare entities should identify potential risks and vulnerabilities to email accounts and train their workforce to protect health information in those accounts.”

The bigger picture 

The recent penalty issued to the Children’s Hospital Colorado follows a pattern of HHS crackdown on healthcare organizations. Another recent example is the $1.19 million fine issued against Gulf Coast Pain Consultants. These cases reveal patterns of preventable vulnerabilities including inadequate risk analyses and failures to terminate former staff access. 

The steep nature of the penalties imposed represents a warning to healthcare organizations in a post Change Healthcare world, where healthcare organizations are held responsible to the highest degree for failures to protect patient privacy.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What are the primary ways email accounts are targeted by threat actors?

Email accounts are commonly targeted through: 

• Phishing attacks
• Social engineering tactics
• Exploiting weak authentication measures
  
  

What differentiates a breach from a violation?

A breach involves unauthorized access to PHI while a violation occurs when an entity fails to comply with HIPAA which may or may not result in a breach.

Why is a risk analysis important in the healthcare sector?

A risk analysis identifies vulnerabilities and potential threats to ePHI.