In a powerful reminder that internal threats can be just as dangerous as external cyberattacks, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced an $800,000 settlement with Florida-based BayCare Health System. The agreement resolves allegations of multiple potential violations of the HIPAA Security Rule stemming from unauthorized access to a patient’s electronic protected health information (ePHI) by a former staff member.
A Serious Breach of Patient Trust
The incident that sparked the investigation began in October 2018 when a patient filed a complaint with OCR after being contacted by a stranger. This individual not only had photos of the patient’s printed medical records but also a video of someone scrolling through her information on a computer screen. The credentials used in the breach were linked to a former, non-clinical employee of a physician’s practice affiliated with BayCare, which had access to the health system’s electronic medical records for patient continuity of care.
OCR’s investigation uncovered that BayCare had potentially failed to:
- Implement effective access control policies aligned with HIPAA Privacy Rule standards
- Mitigate risks and vulnerabilities to ePHI to a reasonable level
- And routinely review system activity to detect suspicious access
These lapses enabled a malicious insider to exploit the system, violating the fundamental trust between patients and providers.
A Call to Action for the Health Care Sector
“In an era of hacking and ransomware attacks, HIPAA-regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs,” said OCR Acting Director, Anthony Archeval. “Allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”
To avoid similar missteps, OCR urges all HIPAA-covered entities—including hospitals, insurers, and business associates—to go beyond check-the-box compliance. This includes proactively identifying where ePHI resides, conducting comprehensive risk analyses, implementing strict audit controls, and ensuring that only authorized individuals have access to sensitive health data.
BayCare’s Path to Compliance
As part of the settlement, BayCare has committed to a robust corrective action plan monitored by OCR for two years. This plan requires BayCare to:
- Perform a detailed risk assessment of its ePHI systems
- Develop and execute a risk management strategy
- Update its internal policies and access control protocols
- And deliver targeted HIPAA training to all relevant workforce members
Lessons for the Industry
This case is a clear signal that health care organizations must treat insider threats with the same seriousness as external cyberattacks. Regular review of access logs, thoughtful segmentation of access privileges, and workforce training specific to job roles are all crucial to maintaining HIPAA compliance and preserving patient trust.
For more on the resolution agreement and to view the full corrective action plan, visit the HHS OCR website.
If you suspect a violation of your HIPAA rights, you can file a complaint at HHS OCR Complaints.
