2 min read

Even nonprofit healthcare providers risk HIPAA fines - Metro pays $25K for data breach

Ryan Ozawa September 8, 2020

HIPAA compliance Healthcare cybersecurity news
Computer monitor displaying a security breach error message with a red X
Computer monitor displaying a security breach error message with a red X symbol Even small healthcare providers dedicated to helping underserved populations need to be HIPAA compliant. That's the lesson learned this summer by Agape Health Services in North Carolina. Operated by Metropolitan Community Health Services, the provider recently agreed to pay $25,000 for its disclosure of the protected health information (PHI) of 1,263 patients.

About Metropolitan Community Health Services

Metropolitan Community Health Services (or Metro) is a 501(c)(3) nonprofit healthcare provider dedicated to rural communities in eastern North Carolina. It is a Federally Qualified Health Center (FQHC). With two locations and a third slated to open this year, Metro provides direct primary and preventive medical, dental, pharmacy, and behavioral health services on a sliding fee scale. Established in 1998, the health care provider is dedicated to low-income and indigent members of the community, providing services regardless of age, race, or faith. In addition to operating free or low-fee clinics under the name Agape Health Services, Metro also helps clients with housing, finances, and education.

 

What happened?

Metro filed a data breach report in 2011 with the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS). The breach involved the impermissible disclosure of 1,263 patients' PHI to an "an unknown email account." In other words, Metro fell victim to an email phishing attack. Through its investigation, HHS found "longstanding, systemic noncompliance with the HIPAA Security Rule." For example:
  • Failure to conduct any risk analyses
  • Failure to implement any HIPAA Security Rule policies and procedures
  • Failure to provide workforce members with security awareness training until 2016
SEE ALSO: Why Investing in Ongoing Cybersecurity Training is Good Business "Health care providers owe it to their patients to comply with the HIPAA Rules," said OCR director Roger Severino in the HHS press release. "When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals' health information."

 

What was the penalty?

Under the resolution agreement between Metro and the OCR, Metro did not have to admit liability. However, the healthcare provider agreed to pay $25,000 to OCR, which noted that the low-cost services that Metro provides to its community "were taken into account in reaching this agreement." In addition to the monetary settlement, Metro agreed to a corrective action plan that includes:
  • Conducting a thorough, enterprise-wide risk and vulnerability analysis
  • Upon approval, developing and implementing a risk management plan
  • Conducting an accurate and thorough risk and vulnerability assessment every year

 

Conclusion

Even federally sanctioned, non-profit healthcare providers that help the most vulnerable people need to be HIPAA compliant. Indeed, putting these already disadvantaged clients at risk of identity theft or fraud is especially troubling. In the Metro case, as in many data breach cases, the unauthorized disclosure of health information occurred via email. Email is the number one threat vector due to the human factor. Email filtering tools can block a lot of malicious messages, but if even one gets through it just takes one inadvertent click to grant unauthorized access to a hacker. This is a vulnerability that Paubox Email Suite Plus is designed to address. It addition to enabling healthcare providers to send HIPAA compliant email without relying on passwords or portals, it helps mitigate inbound email threats by utilizing hundreds of checks on each incoming email to protect you against malicious attacks.
 
Try Paubox Email Suite Plus for FREE today.
Start for free
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
u.s. department of health and human services logo

Summary of the HHS cybersecurity planning document

Picture of Liyanda Tembani Liyanda Tembani : December 27, 2023

The United States Department of Health and Human Services (HHS) released a document in December 2023, outlining a strategic plan to bolster...

HIPAA compliance Healthcare cybersecurity news
Read More
Person holding smartphone while using laptop

Modernizing healthcare communication

Picture of Tshedimoso Makhene Tshedimoso Makhene : August 7, 2025

Electronic health records (EHRs), telehealth, and cloud-based systems have transformed how healthcare professionals interact with patients and each...

HIPAA compliance Healthcare cybersecurity news
Read More
Image of a shelf with folders.

OPM’s plan to collect medical records draws HIPAA compliance warnings 

Picture of Farah Amod Farah Amod : May 5, 2026

Sixty-five health insurance carriers have been asked to submit monthly claims-level protected health information (PHI) on federal employees and their...

HIPAA compliance Healthcare cybersecurity news
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.