OCR penalizes Children’s Hospital Colorado for HIPAA violations

Dec. 10, 2024
Multiple HIPAA violations lead to OCR’s 7th penalty of the year.

A $548,265 civil monetary penalty against Children’s Hospital Colorado was announced by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).

OCR conducted an investigation concerning violations of the HIPAA Privacy and Security Rules following receipt of breach reports in 2017 and 2020, relating to email phishing and cyberattacks .

OCR’s investigation found:

  • Breaches which reported a phishing attack that compromised an email account containing 3,370 individuals’ PHI.
  • Another after three email accounts were breached, containing 10,840 individuals’ PHI.
  • The first reported breach happened because multi-factor authentication was disabled on an email account.
  • The second breaches occurred, in part, when workforce members gave permission to unknown third parties to access their email accounts.
  • Failure to train workforce members on the HIPAA Privacy Rule and the HIPAA Security Rule requirement to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems.

HHS release

ID 148206889 © Wrightstudio | Dreamstime.com
dreamstime_xxl_148206889
ID 293787746 © Yuri Arcurs | Dreamstime.com
dreamstime_xxl_293787746
ID 1568377 © Lana Langlois | Dreamstime.com
dreamstime_xxl_1568377
ID 154668812 © Nuroch Man | Dreamstime.com
dreamstime_xxl_154668812
By HockleyMedia24/peopleimages.com on Adobe Stock
adobestock_842320311