Healthcare Breach and $400,000 Penalty Result From Poor Risk Assessments

Breaches are preventable failures in risk management. A healthcare breach at Metro Community Provider Network (MCPN), a federally approved organization, led to a $400,000 penalty and a mandated correction plan. The Office for Civil Rights (OCR) levied the penalty; the cause of the breach has been cited as a failure to conduct “a timely and comprehensive risk assessment,” according to Information Security Media Group

As we’ve said before, an old proverb – An ounce of prevention is worth a pound of cure – is a fitting rule in risk management. Had MCPN invested in integrated risk management activities, it would have prevented the breach altogether. Instead, it’s financing corrective action (the “cure”) in a response to a phishing attack, must pay $400,000 for noncompliance, and will likely suffer major damage to its reputation.

What Happened? 

In January 2012, MCPN filed a healthcare breach report with OCR. A hacker reportedly “accessed employee’s email accounts and obtained 3,200 individuals’ electronic protected health information through a phishing incident.” It wasn’t until April of this year, however, that the OCR revealed it has signed a resolution agreement with MCPN following the healthcare breach. 

This is particularly calamitous for a healthcare organization, which the public trusts to safeguard sensitive information. Poor governance affects all of us and is never excusable. It’s negligence, and a company that allows a scandal to unfold through negligence is not just being unjust, it’s violating its moral obligation to its stakeholders and community. 

As described in another of our blog posts, “Use ERM to Defend Against Ransomware and Data Breaches,” phishing attacks target individual employees, often masquerading as trustworthy emails. 

MCPN failed to conduct an enterprise risk analysis until a month after reporting the breach. Even when the organization did start assessing risk, however, those efforts were not deemed sufficient to meet requirements in the HIPAA security rule. 

Failure to perform risk management best practices (a minimal investment compared to the fallout of a breach) led directly to the cybersecurity incident, compliance issues, and significant negative media exposure.


Companies in Every Industry Can Learn From This Healthcare Breach


As is the case with many incidents, this healthcare breach is fundamentally not a cybersecurity issue, nor a compliance issue. It’s a governance issue. Strong governance is crucial to effective risk management, and it’s also the framework for the “ounce of prevention” that makes “a pound of cure” obsolete. 

MCPN should have started performing root-cause risk assessments well before it did. Its failure to identify and assess risks in its ePHI environment prevented the organization from implementing appropriate mitigation activities/controls

Specifically, the $400,000 restitution is a sign that breaches/incidents are now considered “a symptom of larger issues that indicate general failures to have appropriate safeguards in place.”


Download our free eBook, 5 Steps for Better Risk Assessments, for an in-depth look at how risk profiles should be assessed to prevent breaches and other vulnerabilities.

Views: 88


You need to be a member of GlobalRisk community to add comments!

Join GlobalRisk community

Our Sponsors

Would you like to reach over 70,000 + Risk Professionals? 



Current Partners Include:



Join GRC Inner Circle - Get Top Risk Resources, Member Support PLUS become our patron

Business Exchange

If your organization delivers products and services that bring value to our members, you are welcome to join our partnership program.

Companies are welcome to setup a business profile page in our Multimedia Business Directory. You will get full control of the page and can include cutting edge possibilities – videos, adverts, presentations, white papers, job offers, Press Releases, product information, company blog, news feeds and more.


Our Knowledge Partners

Request our MEDIA KIT

Our Twitter feed

© 2018   Created by Boris Agranovich.   Powered by

Badges  |  Report an Issue  |  Terms of Service