Metro Community Provider Network (MCPN), a Federally Qualified Health Center (FQHC), has incurred a data breach due to an insufficient risk analysis and poor preventative actions. As a result, MCPN has agreed to pay $400,000 to the Office for Civil Rights (OCR). Along with the fee, the health center will implement a corrective action plan as well.
Dating back to January 27, 2012, the Metro Community Provider Network (MCPN) filed a breach report with the OCR. The report indicated that a hacker accessed an employee's email account through a phishing incident. With the access, the hacker was able to obtain the ePHI of 3,200 individuals.
Following the investigation and settlement, OCR Director Roger Severino said the following: “Patients seeking health care trust that their providers will safeguard and protect their health information. Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”
At Paubox, we have written numerous times about the importance of HIPAA and how to avoid violations. Our articles echo Mr. Severino statements about how important meeting HIPAA compliance is for covered entities and business associates. As a Federally Qualified Health Center (FQHC), Metro Community Provider Network (MCPN) provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area. They service approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level. In return for these services, MCPN gets funding and other financial benefits from the government. However, their status as a FQHC is now in question by the OCR following this incident.