Lessons from the HHS crackdown on the Children’s Hospital Colorado

A Colorado hospital faces a six-figure fine from the HHS OCR as a result of multiple HIPAA violations in 2017 and 2020. 

What happened

On December 5, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposed a $548,265 civil monetary penalty against Children’s Hospital Colorado for multiple violations of the HIPAA Privacy Rule and Security Rules. The violations stemmed from two breaches of protected health information (PHI) reported in 2017 and 2020. In June 2024, OCR issued a Notice of Proposed Determination, which Children’s Hospital Colorado did not contest. 

The reasons behind the penalty

The $548,265 penalty against the hospital stemmed from several actions and failures violating the HIPAA Privacy and Security Rules. These include: 

Phishing attack (2017) 

A phishing attack compromised an email account containing the PHI of 3,370 individuals. The email account was found to have lacked multifactor authentication (MFA) a safeguard required by the HIPAA Security Rule to prevent unauthorized access to electronic PHI (ePHI). This absence of MFA left the system vulnerable to cyberattacks.

Second breach (2020)

Three email accounts were breached, exposing the PHI of 10,840 individuals. Employees were found to have unknowingly granted access to third parties which revealed a failure in staff training to adequately prepare them for email phishing attacks. 

Failure to conduct risk analysis

The hospital did not perform a comprehensive risk analysis to identify vulnerabilities in its systems. Without regular risk assessments, the hospital failed to identify and address potential weaknesses in its security measures. 

Noncompliance with HIPAA Privacy and Security Rules

The hospital failed to meet both the Privacy Rule and the Security Rule, which contributed to the breaches and resulted in the penalty itself as the failure to comply with HIPAA is a violation. 

How it could have been avoided 

1. Improving email security by implementing advanced email filtering tools capable of detecting phishing emails, malicious attachments, and suspicious links would have blocked most phishing attempts. 
2. Strengthening workforce preparedness for cybersecurity attacks by conducting regular simulated phishing exercises to train staff on identifying phishing emails and suspicious behavior would have reinforced the need for email security.
3. Targeting security training to represent a specific employee's role in the organization so that training remains relevant. 
4. Perform continuous risk assessments to identify vulnerabilities in the hospital’s systems including evaluating potential threats to email accounts.
5. The use of third-party vendor management through the continuous assessment of business associate agreements (BAAs) and the third parties' security posture. The use of HIPAA compliant email platforms like Paubox ensures the security of ePHI.

Related: Top 12 HIPAA compliant email services

FAQs

Why are email accounts primary points of attack? 

Email accounts are primary points of attack because they are widely used, and often contain a wealth of PHI as well as other organizational information allowing it to act as an entry point for access to larger systems.

What is the Notice of Proposed Determination?

A formal document issued by the HHS OCR outlining the findings of HIPAA violations.

Which safeguards set the requirement for MFA?

The Security Rule's technical safeguards set the requirement for implementing multifactor authentication.