A hacking incident reported by Oklahoma State University – Center for Health Sciences (OSU-CHS) in January 2018 was investigated by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) which identified violations of 7 provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The case has now been settled and OSU-CHS has agreed to a corrective action plan, 2 years of monitoring, and a financial penalty of $875,000. OSU-CHS settled the case with no admission of wrongdoing.
On January 5, 2018, OSU-CHS notified OCR that an unauthorized third party had gained access to a web server that contained the electronic protected health information (ePHI) of 279,865 individuals. OCR was informed that the breach had occurred on November 7, 2017. Files on the web server included ePHI such as names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information.
The hacking incident resulted in an impermissible disclosure of the ePHI of 279,865 individuals, in violation of 45 C.F.R. § 164.502(a). While notifications to the HHS and affected individuals appeared to have been issued within the allowable 60-day time frame, OSU-CHS subsequently reported that the hackers had first accessed the web server on March 9, 2016, 20 months previously. OCR determined there had been a failure to provide timely breach notifications to affected individuals and the HHS, in violation of 45 C.F.R. § 164.404 and 45 C.F.R. § 164.408 of the Breach Notification Rule.
OCR investigated OSU-CHS to assess compliance with the HIPAA Security Rule and identified multiple areas of non-compliance. OSU-CHS had not conducted an accurate, comprehensive risk analysis to identify risks and vulnerabilities to ePHI, which violated 45 C.F.R. § 164.308(a)(l)(ii)(A) of the HIPAA Security Rule.
The HIPAA Security Rule requires audit controls to be implemented. OCR found insufficiencies, in violation of 45 C.F.R. § 164.312(b). Periodic technical and nontechnical evaluations are required in response to environmental or operational changes that affect the security of ePHI, and these had not been conducted, in violation of 45 C.F.R. 164.308(a)(8). There were also failures related to security incident response and reporting, in violation of 45 C.F.R. § 164.308(a)(6)(ii).
“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”
In addition to highlighting the importance of HIPAA Security Rule compliance the enforcement action should serve as a warning to HIPAA-regulated entities about timely breach notification. There has been a growing trend for HIPAA-covered entities to issue notifications after the Breach Notification Rule deadline of 60-days from the date of discovery of a data breach. Delaying notifications put HIPAA-regulated entities at risk of financial penalties.