By now you have probably seen that the U.S. Department of Health and Human Services (HHS) fined Cignet healthcare a whopping $4.3M for, and I believe this is a legal term, being total egotistical assholes. (Because “willfull neglect” just doesn’t have a good ring to it).
This is all over the security newsfeeds, despite it having nothing to do with security. It’s so egregious I suggest that, if any vendor puts this number in their sales presentation, you should simply stand up and walk out of the room. Don’t even bother to say anything – it’s better to leave them wondering.
Where do I come up with this?
The fine was due to Cignet pretty much telling HHS and a federal court to f* off when asked for materials to investigate some HIPAA complaints. To quote the ThreatPost article:
Following patient complaints, repeated efforts by HHS to inquire about the missing health records were ignored by Cignet, as was a subpoena granted to HHS’s Office of Civil Rights ordering Cignet to produce the records or defend itself in any way. When the health care provider was ordered by a court to respond to the requests, it disgorged not just the patient records in question, but 59 boxes of original medical records to the U.S. Department of Justice, which included the records of 11 individuals listed in the Office of Civil Rights Subpoena, 30 other individuals who had complained about not receiving their medical records from Cignet, as well as records for 4,500 other individuals whose information was not requested by OCR.
No IT. No security breach. No mention of security issues whatsoever. Just big boxes of paper and a bad attitude.
Reader interactions
8 Replies to “What No One Is Saying about That Big HIPAA Fine”
If Cignet was the only HHS fine related news, I guess it would be a non-story, but they also have recently entered into a resolution agreement with Mass General, in which Mass General will pay $1,000,000 to settle the potential HIPAA violations. Mass General will also have to:
– develop and implement a set of policies and procedures to ensure PHI is protected when it is removed from Mass General
– train employees on the policies and procedures
– designate an internal monitor to conduct assessments of Mass General’s compliance with the Corrective Action Plan
– provide semi-annual reports to OCR for three years.
Tell you what, I’d rather pay a bigger fine than have regulator focus for 3 years!
Nothing sot see here. This was not a security event.
I wonder what skeltons Cignet is hiding. Either that or the Cignet Legal team needs to be fired.
What was the point of Cignet’s actions? No one does the big F*** You without some reason behind it.
That’s the news story.
Regardless of the impetus, with the pending release of the “final rule”, the unprecedented fine does demonstrate that the OCR and HHS have teeth if they choose to bare them…
chao-mu,
I still disagree completely. The fines were 100% related to their obstructive response to HHS and the courts. I bet had they responded properly there would have been no fines, or vastly lower fines. But we’re going to see this $4.3M all over the place as if it was a security failure.
Okay- I don’t disagree completely… I *am* glad you enjoyed the article 🙂
I would say it intersects “information security” in several areas; data loss, exfiltration, user protection, and privacy, for example. I did enjoy the article, despite my objection.
I bet eDiscovery solution vendors are going to have a field day with this though “inability to search records lead to $4.3M fine”.
It’s easier for people to freak out and say “OMG HIPAA FUD!!!one1!” than to actually read into the facts of the story…
Exactly! I’ve already told 2 vendors to piss off when they threw this “non-compliance” number at me… Dude, you work *that* hard to piss of the Feds and you shouldn’t be surprised that you do not end up in GTMO.