Colorado based Metro Community Provider Network (MCPN) may just be the victim of the most expensive phishing attack on record. MCPN did not lose their money to the attackers but rather is writing a $400,000 check to the Office for Civil Rights (OCR) for the breach that resulted. This amount would likely have been higher but OCR took into account the fact that MCPN provides a variety of healthcare services to over 43,000 patients a year, most of which are low income. OCR announced the settlement on April 12, 2017.
If you don’t know, phishing attacks generally try to trick victims into providing sensitive data in response to fraudulent emails that are crafted to look legitimate. In January of 2012, MCPN employees provided email credentials in response to phishing emails, resulting in the breach of 3,200 patients’ ePHI.
Phishing attacks are increasingly common and sophisticated and mistakes are bound to happen, so why is the settlement so substantial? The real issue here is that MCPN had taken very few steps towards the proper management of risk towards the ePHI it maintained. MCPN did not conduct a risk analysis until February, 2012, two months after they had already experienced the breach. Since MCPN did not have a risk analysis, it did not have any risk management plans to execute to decrease the risk to ePHI—from something like a phishing attack, for example. Further, the risk analysis MCPN did conduct after the breach was inadequate and did not meet the standards set forth by the Security Rule.
Threats to data security are here to stay and healthcare providers will continue to be targeted for the sensitive information contained in ePHI. It is not about if you will be attacked but rather about how you have prepared to deal with that risk when it happens. Healthcare providers need to continually update their risk analysis and subsequent risk management plans to avoid being hit with a settlement like MCPN. Don’t forget that employee training on current data security risks is essential.
The resolution agreement and corrective action plan can be found here.