HHS Office for Civil Rights reached a settlement with Children’s Hospital Colorado following a data breach that exposed the protected health information of thousands of patients. The breach was tied directly to failures in implementing multi-factor authentication (MFA) across critical systems, resulting in a penalty exceeding $500,000.
OCR’s investigation determined that the hospital had not implemented sufficient technical safeguards — specifically, the failure to enforce MFA allowed unauthorized individuals to access systems containing ePHI through compromised credentials. Even large, well-resourced healthcare organizations are not exempt from HIPAA’s technical safeguard requirements.
Enforcement findings included:
- Failure to implement multi-factor authentication on systems storing ePHI
- Insufficient technical access controls allowing credential-based compromise
- Gaps in risk analysis that failed to identify authentication weaknesses
The settlement included a corrective action plan requiring the hospital to implement MFA, conduct a comprehensive risk analysis, and update its security policies.
Why this matters:MFA is no longer a best practice — in OCR’s view, it is a baseline requirement for protecting ePHI. AXIS CloudSync enforces two-factor authentication for all user accounts and implements granular access controls, directly addressing the categories of failures OCR cited in this case.