Breach leads to $400,000 settlement

Last week OCR announced a settlement with Metro Community Provider Network (MCPN) from Denver, Colorado following a data breach that exposed ePHI for 3,200 individuals. The settlement included a $400,000 fine and the implementation of a corrective action plan. Additional details can be found in the press release.

"On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees' email accounts and obtained 3,200 individuals' ePHI through a phishing incident. OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012."

Lessons Learned

MCPN filed a breach report at the end of January 2012, but had not done a risk analysis until mid February.

  • Lesson #1 - Risk analysis is more effective before a breach. Once they started doing risk analyses, they did not sufficiently address Security Rule requirements.
  • Lesson #2 - Utilize HIPAA experts rather than taking a do-it-yourself approach to risk assessments and analysis. There are many free tools available to assess HIPAA risk, but without the aid of subject matter experts, your remediation plans may fall short.

HIPAA Risk Advisor

Focal Point’s HIPAA Risk Advisor is a cloud-based platform that simplifies and accelerates HIPAA compliance initiatives. HIPAA Risk Advisor includes an automated security risk assessment tool and access to a dedicated HIPAA security expert to navigate you through the entire process, providing a risk and gap analysis with recommendations to improve security.  

HIPAA Risk Advisor is primarily delivered through our IT Service Provider channel partners. These partners are ready to assist with remediation services to reduce risk and help both Covered Entities and Business Associates achieve compliance.

Interested in becoming a partner? Want to find a partner in your area? Learn more at or contact Steve Hellin at