The Office for Civil Rights (OCR) has announced that it has entered into a settlement with St. Joseph Health, which operates hospitals and nursing homes in California, Texas and New Mexico, for $2.14 million for alleged HIPAA violations.

St. Joseph Health notified the OCR on February 14, 2012, of a data breach involving the protected health information of 31,800 patients when one of its servers included a file sharing application that used default settings and allowed access to the information through the internet in 2011 and 2012. According to the press release, the information was available through internet search engines during that time frame.

The files were pdf files that included the names, health status, diagnosis and demographic information of the patients.

The OCR noted that although St. Joseph Health hired contractors to assess risks and vulnerabilities of ePHI on its system, those assessments “did not result in an enterprise risk analysis.” According to the OCR, the security risk assessment was conducted in a “patchwork fashion and did not result in an enterprise-wide risk analysis.” Unfortunately, there is no further information on what the OCR means by this statement or what type of security risk assessment it deems sufficient.

In addition to the fine, St. Joseph also entered into a Corrective Action Plan with the OCR.