The investigation into the 2015 Bizmatics data breach by the Department of Health and Human Services’ Office for Civil Rights has closed. The breach, which was identified in late 2015, affected many of the company’s clients.
It was found that the malware was installed on a server in early 2015. The server was housing the company’s PrognoCIS EMR database. At least 300,000 patients were affected and potentially had their PHI exposed as a result of a malware infection.
A thorough breach investigation was completed but Bizmatics was unable to confirm whether data were actually viewed or copied by the malicious person responsible for installing the malware. No public breach announcement was issued by Bizmatics, although all affected clients were advised if the PHI of their patients was potentially accessed.
The Office for Civil Rights carried out an investigation into the breach, but it would appear that the case has now been finished with no action against the business associate deemed necessary.
When OCR carries data breach investigations, investigators assess the company to deduce whether HIPAA Rules have been violated. OCR also looks at the actions taken after the discovery of the violation to ensure that access to data has been blocked and any security vulnerabilities have been properly addressed.
When the actions of the covered entity have been found to be insufficient or when serious breaches of HIPAA Rules are discovered to have happened, a financial penalty may be deemed to be appropriate. However, in some cases the actions taken by the covered entity to mitigate risk and stop further PHI breaches are found to be sufficient. This appears to be the case with Bizmatics Inc.
Following the identification of the malware, Bizmatics removed the malicious software and carried out a comprehensive scan of its systems to determine whether any traces of malware or backdoors were still in place. A risk assessment was completed, anti-virus and anti-malware software were upgraded, as were computer hardware and operating systems. Bizmatics also altered its firewall configurations and server and account passwords.
In addition to this, Bizmatics improved security by setting more stringent password policies and purchased and installed a new system for monitoring network traffic to find any future network intrusions promptly. OCR received written assurances that these efforts had been implemented. OCR ruled the action taken by the business associate to be adequate.
While Bizmatics seems to be in the clear, that does not mean that there will be no financial penalties issued due to the breach. All covered bodies that filed breach notices to OCR regarding the Bizmatics breach are likely to be reviewed.
