The HHS announced a $1.19 million penalty against Gulf Coast Pain Consultants, LLC for multiple violations of the HIPAA Security Rule.
What happened
On December 3, 2024, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced the penalty against Gulf Pain, operating as Clearwat Pain Solutions Institute. The enforcement action came from a breach report filed by Gulf Coast, revealing that a former contractor had impermissibly accessed the organization's electronic medical record system on three separate occasions.
The unauthorized access which occurred before the investigation, exposed the protected health information (PHI) of approximately 34,310 individuals. The breach reportedly involved the misuse of PHI to support Medicare claims. Following an investigation, OCR determined that Gulf Coast failed to conduct a thorough risk analysis, implement procedures for reviewing system activity, terminate access for former workforce members, and manage user access rights.
In August 2024, OCR issued a Notice of Proposed Determination to impose the penalty which the organization chose not to contest, leading to the final determination and penalty imposition.
Related: OCR’s HIPAA audit strategy scrutinized in new report
What was said
According to OCR Director Melanie Fontes Rainer, “Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system. Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.”
Why it matters
The Gulf Coast breach exposes a systemic failure in the protection seen in other instances like that reflected in the Change Healthcare breach. From a patient's standpoint, these breaches place sensitive information entrusted to healthcare organizations at risk. The reason behind the OCR’s crackdown stems from the fact that this breach was avoidable. By implementing necessary and diligent cybersecurity measures, these organizations could have mitigated the harm caused.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a data breach?
When an unauthorized party gains access to systems, networks, and data.
Why is PHI so often breached?
In healthcare, PHI is often not entirely secured as a result of the combination of the use of legacy and the targeting by threat actors to gain access to valuable data.
Kirsten Peremore
