Metro Community Provider Network (MCPN) – a public health nonprofit was fined and paid a $400,000 penalty for allowing a hacker to access employee email accounts and obtain electronic protected health information (ePHI) of 3,200 patients. MCPN provides primary care, pharmacies, social work, dental and behavioral care to approximately 43,000 low income patients. MCPN reported the security breach in January 2012.

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) found MCPN violated the HIPAA Security Rule by not implementing adequate cybersecurity methods and procedures.

“Specifically, MCPN has failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by MCPN,” OCR reported in the official Resolution Agreement. “Further, MCPN has failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

Year to date, OCR has collected $11.8 million in HIPPA breach payments. In 2016, the agency collected $23.5 million and $6.2 million in 2015.