Post Date: October 25, 2016

St. Joseph Health (SJH), a nonprofit health care delivery system, recently agreed to pay $2.14 million and to adopt a comprehensive corrective action plan after it was reported that they potentially disclosed the electronic protected health information (ePHI) of 31,800 individuals.

The breach occurred as a result of SJH storing files containing ePHI on a server that included a file sharing application. According to the Office for Civil Rights (OCR), following the purchase and implementation of the server and file sharing application, SJH failed to examine or modify it to ensure that ePHI stored on it would remain confidential. The default settings on the application made the ePHI publicly accessible via Google and other internet search engines.

In additional to paying the settlement amount, SJH must comply with the terms of a corrective action plan (CAP) for a period of three years. SJHs obligations under the CAP include the following:

  • Conducting an enterprise-wide risk analysis
  • Developing and implementing a risk management plan
  • Revising policies and procedures
  • Training workforce members on the revised policies and procedures

Additional information regarding this settlement including the Resolution Agreement and Corrective Action Plan can be found on the OCR website at

To learn more about HIPAA developments and best practices, register for our upcoming webinar, Behind the HIPAA Headlines at