This morning we read that BJC HealthCare has settled with their class action lawsuit(s) plaintiffs to set aside $2.7M for some pretty basic security controls, following a successful 2020 phishing attack that compromised up to 288,000 peoples' protected health information.
While phishing attacks happen and criminals still suck, the outcome of the all-but-guaranteed litigation can be less financially impactful if a HIPAA-bound entity is running a program focused on risk, compliance and security. Employing people who understand that security controls continue to improve, as in the case of multifactor authentication (also known as two-factor authentication, MFA or 2FA), can place an organization ahead of the curve when information services are attacked.
It was amazing (not in a good way...) to read that BJC lacked a written password policy, had not implemented MFA/2FA for remote email access, may not have been providing regular training as required by § 164.308(a)(5)(i) and § 164.308(a)(5)(ii)(A) and was not maintaining a written security policy. All of these items are reasonably or directly tied to Security Rule citations and we don't know why BJC failed to maintain them ahead of this breach, especially when we read that they were also breached twice before within two years.
HIPAA Isn't hard. It's work and it's work that requires some skillsets and understanding, but reading failures like this, especially across such a large healthcare system is mind boggling. If you need to get yourself or your team up to speed, or just need someone you can call when you have a question - we're here for you.
Stay (HIPAA) safe,