Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Tag: Malicious Insider

Baycare Health System fined $800K for Impermissible Access Exploited by a Malicious Insider

Posted bySuze Shaffer

This reinforces the Need for Strong Access Controls under HIPAA

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with BayCare Health System, a Florida-based healthcare provider, for potential violations of the HIPAA Security Rule. The case stemmed from a complaint alleging impermissible access to a patient’s electronic protected health information (ePHI), highlighting the ongoing need for covered entities to manage and monitor system access carefully.

BayCare agreed to pay $800,000 and implement a two-year Corrective Action Plan (CAP) to resolve OCR’s findings and strengthen its data security practices.

History

In October 2018, OCR received a complaint from a patient who reported being contacted by an unknown individual possessing photographs and a video of her printed medical records. The images appeared to show someone scrolling through her records on a computer screen after she received care at a BayCare facility.

OCR’s investigation revealed that the login credentials used to access the records belonged to a non-clinical former employee of a physician practice that had access to BayCare’s electronic medical record system for shared patient care. The improper access exposed weaknesses in BayCare’s user authorization and monitoring controls.

OCR’s Findings

OCR determined that BayCare potentially violated multiple provisions of the HIPAA Security Rule, including failure to:

  • Implement proper policies and procedures for authorizing access to ePHI consistent with the Privacy Rule.
  • Reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
  • Regularly review audit logs and system activity to detect unauthorized access.

These lapses allowed a former staff member to retain and misuse access credentials—an avoidable risk that underscores the importance of continuous access management and workforce oversight.

Settlement Terms

Under the Resolution Agreement, BayCare will:

  • Pay $800,000 to HHS OCR.
  • Undergo a two-year Corrective Action Plan monitored by OCR.
  • Conduct a complete risk analysis to identify potential threats and vulnerabilities to ePHI.
  • Develop and implement a risk management plan to mitigate identified security risks.
  • Revise its policies and procedures to ensure compliance with the HIPAA Security Rule.
  • Provide HIPAA training to all workforce members who have access to ePHI.

OCR’s Message to the Healthcare Industry

OCR Acting Director Anthony Archeval emphasized the importance of strict access controls, stating:

“In an era of hacking and ransomware attacks, HIPAA regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs. Allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”

This case serves as a warning that insider threats and credential misuse remain one of the most common—and preventable—sources of patient data breaches.

Best Practices Recommended by OCR

To help prevent similar incidents, OCR recommends that all HIPAA-regulated entities:

  • Identify where ePHI resides and how it moves throughout the organization.
  • Integrate risk analysis and risk management into everyday operations.
  • Maintain audit controls and regularly review system activity for anomalies.
  • Implement user authentication mechanisms and remove access promptly when workforce changes occur.
  • Encrypt ePHI in transit and at rest.
  • Apply lessons learned from prior incidents to strengthen security.
  • Provide role-specific HIPAA training on a regular basis.

Summary

The BayCare settlement underscores a critical lesson: HIPAA compliance isn’t only about external cyberattacks—it’s also about managing internal access.
Even trusted users can become a liability when access privileges aren’t properly controlled, monitored, or revoked.

A thorough, documented risk analysis, an active risk management plan, and strong access control policies are essential for preventing unauthorized disclosures and OCR enforcement actions.

At Aris Medical Solutions, our online HIPAA Keeper™ system helps healthcare providers and business associates maintain full compliance through guided risk assessments, policy updates, training, and audit tracking. All in one secure, cloud-based system.

Don’t leave patient data exposed. Schedule your HIPAA Risk Analysis and Access Control Review with Aris Medical Solutions today.

Montefiore Medical Center fined $4.75M for Malicious Insider

Posted bySuze Shaffer

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $4.75 million settlement with Montefiore Medical Center, a New York City hospital system. The settlement resolves multiple potential HIPAA Security Rule violations.

OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules. HIPAA requires health care providers, insurers, and other entities to protect the privacy and security of patient information.

Montefiore failed to safeguard its systems. An employee stole and sold the protected health information (PHI) of 12,517 patients over six months. Montefiore reported the breach after the NYPD uncovered the theft in 2015.

OCR’s investigation found Montefiore failed to:

  • Analyze and identify risks to PHI.
  • Monitor activity on its information systems.
  • Implement effective policies and procedures.

Because of these failures, Montefiore did not prevent or detect the attack until years later.

Settlement Terms

Montefiore must pay $4.75 million and follow a Corrective Action Plan (CAP). The CAP requires Montefiore to:

  • Conduct a complete risk analysis.
  • Develop and implement a risk management plan.
  • Install monitoring systems to record and review PHI activity.
  • Review and update HIPAA policies and procedures.
  • Train staff on HIPAA requirements.

OCR will monitor Montefiore for two years.

Key Quotes

OCR Director Melanie Fontes Rainer said:
“Cyber-attacks from malicious insiders are not uncommon. The risks to patient information cannot be ignored. Health care systems must follow the law and act quickly to protect records.”

HHS Deputy Secretary Andrea Palm added:
“Patients must trust providers to protect their records. Our priority remains safeguarding patients and ensuring providers implement strong security policies.”

OCR reported that 134 million people were affected by large breaches in 2023, compared to 55 million in 2022. OCR urges health care providers, health plans, and business associates to:

  • Conduct regular risk analyses.
  • Monitor information system activity.
  • Use multi-factor authentication.
  • Encrypt PHI.
  • Train staff frequently.
  • Update policies based on lessons learned from incidents.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare providers simplify compliance by maintaining up-to-date policies, procedures, and workforce training to meet every aspect of the HIPAA Privacy and Security Rules.

Don’t risk costly penalties. Ensure your Compliance Officer understands their responsibility.

Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

©2025 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC