Jackson Health System to pay $2.15 million for HIPAA violations.

On October 23, 2019, The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services imposed a penalty of $2.15 million on Jackson Health System (JHS). OCR revealed that JHS had violated HIPAA multiple times between 2011 and 2016.

The incidents.

In 2012, JHS had misplaced a box containing 1,436 paper records containing the protected health information (PHI) of patients. However, they failed to notify the affected patients and the Department of Health and Human Services in time.

In 2015, JHS shared a picture of an operating room screen on social media that contained a patient’s medical information. In another incident that was reported in 2016, a malicious employee stole and sold the PHI of around 2,000 patients. Investigations that followed revealed that the employee had access to over 24,000 patient records from 2011 to 2016 that JHS was unaware of. JHS had not notified the authorities regarding the breach in time; they also did not conduct wide risk analyses, manage identified risks, review information system activity records, or restrict employee access to the PHI of the patients to the minimum required to accomplish their duties.

"Protecting patient privacy is a top priority at Jackson Health System, and we're disappointed whenever we fall short of our high expectations," a spokesperson for the health system said. "Jackson recognized and reported this because strong organizations like ours admit their errors clearly, learn from them thoughtfully, and take decisive action to prevent them in the future."

Don't want to make the news for the wrong reasons? Download ManageEngine Log360, the tool that can help combat both internal and external security attacks.

How ManageEngine can help.

HIPAA mandates the standards companies need to follow to protect and maintain the confidentiality of personally identifiable health care information. ManageEngine Log360, a comprehensive log management solution, helps IT security admins meet HIPAA requirements by monitoring and auditing access to critical data. This solution identifies and tracks suspicious insider activity as well.

Log360 provides out-of-the-box reports with exhaustive information on data access, user activity, user logon and logoff activity, and more. With these reports, you can draw meaningful insights on accesses, modifications, and permissions of critical files to help mitigate insider threats. This solution also generates real-time email or SMS alerts that help instantly mitigate any compliance violations. 

Using Log360, you can:

  • Monitor all modifications to PHI across file servers to detect and resolve any violations.
  • Audit and report on all data accesses to PHI to ensure that no unauthorized changes are taking place.
  • Track and monitor all changes to access rights and file server permissions to identify anomalies.
  • Utilize customizable, built-in capabilities for alerts to regularly audit file and folder-related activities.
  • Obtain detailed information on user logon and logoff activity such as the username, date, and time; reason for the logon failure; and more.
  • Detect and respond to mass file accesses with customizable, automated responses.
  • Identify local system processes such as system startups, shutdowns, or changes to the system time or audit logs using preconfigured reports.
  • Securely archive audit log data so that at any point in time, the audit log data can be loaded back to the database, and forensic analysis can be conducted to identify the root cause of unauthorized attempts, if any.

Download a free trial version of Log360 to test these features out yourself.

© 2022 Zoho Corporation Pvt. Ltd. All rights reserved.


Stay In The Know

Thank you

You will receive weekly cybersecurity news soon!

  • Please enter a business email id
    By clicking 'I'm Interested', you agree to processing of personal data according to the Privacy Policy.