[ Thursday, April 13, 2017 ]


Metro Community (Colorado): A federally-qualified health center falls victim to a phishing attack.  The attack is not their fault, and they respond appropriately.  All good, right?

Wrong.  Even though they did nothing wrong here, they had never done an initial risk analysis.  They did a risk analysis after the phishing attack; apparently, even if they had done it before the attack, they still likely wouldn't have been able to prevent the attack.  But . . .

HIPAA required them to do a risk analysis.  That requirement has been in place since 2005.  Even though the lack of a risk analysis wasn't the cause of the breach, the breach revealed the lack of a risk analysis.

And that's a $400,000 fine.  OCR even mentions that the fine takes into account the financial situation of Metro Community, which primarily provides care to the poor and underserved in Denver, which means that the fine would likely have been 7 figures otherwise.

Moral of the story: DO A RISK ANALYSIS.  Seriously.  It's highly likely that I would not know the name of Metro Community today if they had done a risk analysis a year or two ago.

Jeff [2:42 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template