OCR Announces $2.14 Million HIPAA Settlement with St. Joseph Health.

Date posted: November 1, 2016

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently settled with St. Joseph Health (SJH), a non-profit Catholic health system.  SJH agreed to pay $2.14 million and implement corrective actions for potentially violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.  OCR initiated an investigation after receiving a report from SJH concerning unrestricted access to meaningful use program files.  The files contained electronic protected health information (ePHI) and were publicly accessible via internet search engines for over one year.  The breach compromised ePHI belonging to 31,800 individuals and included names, health statuses, diagnoses, and demographic information.

The OCR investigation further revealed the following:

  • SJH failed to evaluate potential environmental and operational changes upon implementing a new server for the meaningful use project;
  • The server included a file sharing application that allowed any individual with an internet connection to access the files; and
  • Though SJH hired contractors to assess the risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, the risk analysis did not meet specific Security Rule

Further, OCR imposed a corrective action plan (CAP) requiring SJH to develop and implement a risk management plan and conduct an enterprise-wide risk analysis.  The CAP also requires SJH to revise existing policies and procedures, and train staff members on the new guidelines.

The OCR press release is available at:


Department of Health and Human Services Office for Civil Rights.  “$2.14 Million HIPAA Settlement Underscores Importance of Managing Security Risk.”  Press Release.  18 Oct. 2016.

‹ Return to the Main News Page
‹ Return to the CRC Homepage