• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

$650,000 HIPAA Fine

July 6, 2016 Posted by W. Jackson Schultz, CISA Cybersecurity, IT Advisory Services, IT Security

In a landscape-shaping turn of events, the first HIPAA Business Associate has been required to face and pay a $650,000 fine due to its inability to safeguard protected health information (PHI) and electronic protected health information (ePHI). Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle and pay this substantial penalty after 412 individuals’ PHI was compromised because of the theft of an organization-issued mobile device which was not password protected. The compromised information belonged to nursing home patients from six nursing home facilities around Philadelphia.

The enormity of the fine stems from CHCS’ lack of controls in place to prevent an incident such as this. It was apparent to the Office of Civil Rights (OCR) during the investigation that CHCS had no formal policies discussing the removal of mobile devices containing PHI or the organization’s response to a security incident. In addition, it was noted by OCR that CHCS had not performed a risk analysis or implemented a risk management plan. All of these items are in violation of the HIPAA Security Rule. It appears that the compromised ePHI included Social Security numbers, diagnosis and treatment information, medical procedures, medication information and the names of family members and legal guardians.

In determining the resolution amount, OCR determined that “CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.” Had the organization not been deemed such a valuable service provider, the fines may have been even greater.

If you have any questions regarding OCR’s decision, the settlement, or the fine, please contact:

Michael Hammond, CISA, CISSP, CRISC, C|EH
Director, IT Audit Services at [email protected]

or

W. Jackson Schultz, CISA
Senior IT Audit & Security Consultant at [email protected]

Tags: Penetration Testing
Share
0
Avatar photo

About W. Jackson Schultz, CISA

Jackson is a senior auditor with OCD Tech. Currently, Jackson performs IT audit control testing for OCD Tech clients.

You also might be interested in

Tools of Our Trade – WiFi – ALFA AWUS036NHA Adapter

Oct 11, 2016

We promised to write about the tools of our trade.[...]

Cyber Resilience Strategy

Cyber Resilience Strategy

Jul 21, 2023

Building a Strong Cyber Resilience Strategy: Tips and Best Practices[...]

Pastebin Infographic

New Usernames and Passwords Leaked Daily

Aug 15, 2016

What if there was a way to identify future attacks[...]

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next