UMMC Settles 2.75 Million Dollar for HIPAA Breach

by | Jul 23, 2016

Following the 2.7 million HIPAA breach settlement with Oregon Health & Science University is news of yet another multi-million-dollar settlement with another university.

The Department of Health and Human Services’ Office for Civil Rights revealed two days ago that University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA breaches and will pay a financial penalty of $2.75 million. UMMC has also agreed to put in place a corrective action plan (CAP) to bring privacy and security standards up to the level required by HIPAA.

UMMC Reviewed After Unencrypted Laptop Computer Stolen

The settlement arises from a breach of subscribers’ protected health information (PHI) in 2013. A laptop computer allocated to UMMC’s Medical Intensive Care Unit (MICU) was found to be missing. The laptop computer held the PHI of 500 patients. The data were not encrypted, although the laptop computer did have password protection. The laptop is believed to have been taken by a visitor who had inquired about borrowing one of MICU’s laptops.

OCR carried out an investigation into the breach and discovered the exposure of 500 patients PHI was one of the least concerning issues. A, possibly, much more serious issue was the failure of UMMC to adequately secure its wireless network from external access. Investigators found 67,000 files were kept in an active directory, which included 328 files containing ePHI. A generic username and password had not been altered, which could have been used to gain access to the data of 10,000 patients that were kept on one of UMMC’s network drives.

Data Violation Investigation Showed Multiple HIPAA Violations

Multiple violations of HIPAA Rules were also found. UMMC had failed to put in place its policies and procedures to prevent, find, contain, and correct security violations according to the resolution agreement.

A comprehensive risk assessment to find potential risks to the confidentiality, integrity, and availability of ePHI had also not been adequately conducted. Risks to ePHi had not been lessened to a reasonable and appropriate level, violating the HIPAA Security Rule 45 C.F.R. §164.308(a)(1)(i).

Sufficient physical measures had not been implemented to stop ePHI from being accessed by unauthorized individuals – A violation of 45 C.F.R. §164.310(c)).

Unique identifiers/usernames had not been properly assigned, which stopped UMMC from being able to track which individuals had accessed ePHI – A violation of 45 C.F.R. § 164.312 (a)(2)(i).

UMMC had also violated the Breach Notification Rule by not informing patients whose ePHI was reasonably believed to have been accessed, acquired, used, or disclosed due to the data breach – A violation of 45 C.F.R. §164.404. UMMC had only posted a violation notice on its website and issued a release to the media.

An extensive CAP has been put in place to ensure that all potential HIPAA violations are addressed and privacy and security is brought up to the level deemed necessary by HIPAA. UMMC is also required to issue regular updates to OCR. The CAP will last for a duration of three years.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy