Bizmatics Data Breach OCR Investigation Comes to a Close

by | Aug 30, 2016

The investigation into the 2015 Bizmatics data breach by the Department of Health and Human Services’ Office for Civil Rights has closed.  The breach, which was identified in late 2015, affected many of the company’s clients.

It was found that the malware was installed on a server in early 2015. The server was housing the company’s PrognoCIS EMR database. At least 300,000 patients were affected and potentially had their PHI exposed as a result of a malware infection.

A thorough breach investigation was completed but Bizmatics was unable to confirm whether data were actually viewed or copied by the malicious person responsible for installing the malware. No public breach announcement was issued by Bizmatics, although all affected clients were advised if the PHI of their patients was potentially accessed.

The Office for Civil Rights carried out an investigation into the breach, but it would appear that the case has now been finished with no action against the business associate deemed necessary.

When OCR carries data breach investigations, investigators assess the company to deduce whether HIPAA Rules have been violated. OCR also looks at the actions taken after the discovery of the violation to ensure that access to data has been blocked and any security vulnerabilities have been properly addressed.

When the actions of the covered entity have been found to be insufficient or when serious breaches of HIPAA Rules are discovered to have happened, a financial penalty may be deemed to be appropriate. However, in some cases the actions taken by the covered entity to mitigate risk and stop further PHI breaches are found to be sufficient. This appears to be the case with Bizmatics Inc.

Following the identification of the malware, Bizmatics removed the malicious software and carried out a comprehensive scan of its systems to determine whether any traces of malware or backdoors were still in place. A risk assessment was completed, anti-virus and anti-malware software were upgraded, as were computer hardware and operating systems. Bizmatics also altered its firewall configurations and server and account passwords.

In addition to this, Bizmatics improved security by setting more stringent password policies and purchased and installed a new system for monitoring network traffic to find any future network intrusions promptly. OCR received written assurances that these efforts had been implemented. OCR ruled the action taken by the business associate to be adequate.

While Bizmatics seems to be in the clear, that does not mean that there will be no financial penalties issued due to the breach. All covered bodies that filed breach notices to OCR regarding the Bizmatics breach are likely to be reviewed.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy