It's not often that HHS issues a Civil Monetary Penalty. Normally the Covered Entity or Business Associate works with HHS to create a Corrective Action Plan (CAP) to lessen the financial impact following a breach. In this case JHS waived its right to a hearing, did not contest HHS' findings as listed in their Notice of Proposed Determination and apparently did not seek a CAP.
JHS is a not for profit healthcare system that operates six hospitals, urgent care centers, primary and specialty care centers, nursing facilities and corrections clinics. From the period of 2013 to 2016 JHS suffered breaches that included lost paper records and multiple cases of inappropriate ePHI access. They also failed to report all breaches as required by HHS.
During the investigation HHS determined that JHS also:
ran a "HIPAA compliance program that had been in disarray for a number of years,"
had a "...compliance program (that) failed to detect and stop an employee who stole and sold thousands of patient records
"lost patient files without notifying OCR as required by law" and
"failed to properly secure PHI that was leaked to the media."
That first listed item really strikes a cord with us. We've seen too many agencies that still run disarrayed programs than we like to see. Many of them are just looking for the least amount of effort and cost to "check the box" (e.g. for a CMS reimbursement check) and we hope that each of these organizations realizes the shortcomings of this approach - before they are breached and suffer a similar fate as JHS.