Phishing Incident Costs Health Center $400K

A Colorado health center has agreed to pay $400,000 to settle potential non-compliance with HIPAA following a 2011 phishing incident. In that incident, a hacker allegedly accessed Metro Community Provider Network employees’ email accounts, acquiring electronically protected health information for 3,200 people. The Office for Civil Rights found that MCPN did not conduct a risk analysis until a month after it reported the phishing incident, in February 2012, and prior to the breach had not conducted a risk analysis or implemented risk management plans. The case serves as an example that even lower-profile providers should work proactively to ensure cybersecurity.