Florida Hospital Fined $2.15 Million for Theft and Sale of Records

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on October 23 that Jackson Health System (JHS) in Miami has received a civil money penalty of $2,154,000 for violations of HIPAA’s Security and Breach Notification Rules. OCR Director Roger Severino said, “OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years.” JHS services over 650,000 patients per year through a network of six hospitals, urgent care centers, primary and specialty care practices, nursing facilities and other clinics.

After reporting to OCR the loss of paper records of 756 patients in 2013, JHS’s internal investigation revealed that another 680 patients’ records had been lost, but it did not report the additional loss until 2016. In a separate incident in 2015, OCR investigated JHS when media reporters shared a photograph of an operating room screen that included a patient’s medical information. JHS reported an additional breach in 2016 when it discovered that a hospital employee had inappropriately accessed over 24,000 patient records and sold some of them.

After investigating all of these incidents, OCR concluded that JHS did not timely report the breaches and did not conduct enterprise-wide risk analyses to identify and manage risk areas appropriately. JHS did not contest OCR’s findings and probably considers itself fortunate that the penalty was not greater.