The U.S. Department of Health and Human Services' Office for Civil Rights has levied a $548,265 fine against Aurora-based Children's Hospital Colorado for violating HIPAA Privacy and Security Rules.
The penalty stems from data breaches reported in 2017 and 2020, where phishing attacks compromised the protected health information (PHI) of thousands of patients. According to a Dec. 5 press release, OCR found the hospital failed to implement adequate safeguards for electronic PHI (ePHI), as required by federal standards. Lapses included the absence of multi-factor authentication on an email account and insufficient workforce training on privacy and security protocols.
The first breach in 2017 exposed the PHI of 3,370 individuals after a phishing attack exploited an email account. OCR's investigation revealed that multi-factor authentication — a key cybersecurity measure — had been disabled, allowing the breach to occur.
The second incident in 2020 involved the compromise of three email accounts containing PHI for 10,840 individuals. Investigators determined the breaches were partly caused by employees granting unauthorized access to third parties, underscoring gaps in cybersecurity awareness and training.
In June 2024, OCR issued a notice of proposed determination to impose the monetary penalty. Children's Hospital Colorado chose not to contest the findings or request a hearing, resulting in the finalization of the $548,265 fine.