Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Baycare Health System fined $800K for Impermissible Access Exploited by a Malicious Insider

Posted bySuze Shaffer
Insider hacker

This reinforces the Need for Strong Access Controls under HIPAA

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with BayCare Health System, a Florida-based healthcare provider, for potential violations of the HIPAA Security Rule. The case stemmed from a complaint alleging impermissible access to a patient’s electronic protected health information (ePHI), highlighting the ongoing need for covered entities to manage and monitor system access carefully.

BayCare agreed to pay $800,000 and implement a two-year Corrective Action Plan (CAP) to resolve OCR’s findings and strengthen its data security practices.

History

In October 2018, OCR received a complaint from a patient who reported being contacted by an unknown individual possessing photographs and a video of her printed medical records. The images appeared to show someone scrolling through her records on a computer screen after she received care at a BayCare facility.

OCR’s investigation revealed that the login credentials used to access the records belonged to a non-clinical former employee of a physician practice that had access to BayCare’s electronic medical record system for shared patient care. The improper access exposed weaknesses in BayCare’s user authorization and monitoring controls.

OCR’s Findings

OCR determined that BayCare potentially violated multiple provisions of the HIPAA Security Rule, including failure to:

  • Implement proper policies and procedures for authorizing access to ePHI consistent with the Privacy Rule.
  • Reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
  • Regularly review audit logs and system activity to detect unauthorized access.

These lapses allowed a former staff member to retain and misuse access credentials—an avoidable risk that underscores the importance of continuous access management and workforce oversight.

Settlement Terms

Under the Resolution Agreement, BayCare will:

  • Pay $800,000 to HHS OCR.
  • Undergo a two-year Corrective Action Plan monitored by OCR.
  • Conduct a complete risk analysis to identify potential threats and vulnerabilities to ePHI.
  • Develop and implement a risk management plan to mitigate identified security risks.
  • Revise its policies and procedures to ensure compliance with the HIPAA Security Rule.
  • Provide HIPAA training to all workforce members who have access to ePHI.

OCR’s Message to the Healthcare Industry

OCR Acting Director Anthony Archeval emphasized the importance of strict access controls, stating:

“In an era of hacking and ransomware attacks, HIPAA regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs. Allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”

This case serves as a warning that insider threats and credential misuse remain one of the most common—and preventable—sources of patient data breaches.

Best Practices Recommended by OCR

To help prevent similar incidents, OCR recommends that all HIPAA-regulated entities:

  • Identify where ePHI resides and how it moves throughout the organization.
  • Integrate risk analysis and risk management into everyday operations.
  • Maintain audit controls and regularly review system activity for anomalies.
  • Implement user authentication mechanisms and remove access promptly when workforce changes occur.
  • Encrypt ePHI in transit and at rest.
  • Apply lessons learned from prior incidents to strengthen security.
  • Provide role-specific HIPAA training on a regular basis.

Summary

The BayCare settlement underscores a critical lesson: HIPAA compliance isn’t only about external cyberattacks—it’s also about managing internal access.
Even trusted users can become a liability when access privileges aren’t properly controlled, monitored, or revoked.

A thorough, documented risk analysis, an active risk management plan, and strong access control policies are essential for preventing unauthorized disclosures and OCR enforcement actions.

At Aris Medical Solutions, our online HIPAA Keeper™ system helps healthcare providers and business associates maintain full compliance through guided risk assessments, policy updates, training, and audit tracking. All in one secure, cloud-based system.

Don’t leave patient data exposed. Schedule your HIPAA Risk Analysis and Access Control Review with Aris Medical Solutions today.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

View all posts by Suze Shaffer

Missing risks can tumble your organization

Vision Upright MRI fined $25K

May 15, 2025
Hacking dected

Comstar, a Business Associate fined $75K for Ransomware Attack

May 30, 2025
©2025 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC