Following the 2.7 million HIPAA breach settlement with Oregon Health & Science University is news of yet another multi-million-dollar settlement with another university.
The Department of Health and Human Services’ Office for Civil Rights revealed two days ago that University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA breaches and will pay a financial penalty of $2.75 million. UMMC has also agreed to put in place a corrective action plan (CAP) to bring privacy and security standards up to the level required by HIPAA.
UMMC Reviewed After Unencrypted Laptop Computer Stolen
The settlement arises from a breach of subscribers’ protected health information (PHI) in 2013. A laptop computer allocated to UMMC’s Medical Intensive Care Unit (MICU) was found to be missing. The laptop computer held the PHI of 500 patients. The data were not encrypted, although the laptop computer did have password protection. The laptop is believed to have been taken by a visitor who had inquired about borrowing one of MICU’s laptops.
OCR carried out an investigation into the breach and discovered the exposure of 500 patients PHI was one of the least concerning issues. A, possibly, much more serious issue was the failure of UMMC to adequately secure its wireless network from external access. Investigators found 67,000 files were kept in an active directory, which included 328 files containing ePHI. A generic username and password had not been altered, which could have been used to gain access to the data of 10,000 patients that were kept on one of UMMC’s network drives.
Data Violation Investigation Showed Multiple HIPAA Violations
Multiple violations of HIPAA Rules were also found. UMMC had failed to put in place its policies and procedures to prevent, find, contain, and correct security violations according to the resolution agreement.
A comprehensive risk assessment to find potential risks to the confidentiality, integrity, and availability of ePHI had also not been adequately conducted. Risks to ePHi had not been lessened to a reasonable and appropriate level, violating the HIPAA Security Rule 45 C.F.R. §164.308(a)(1)(i).
Sufficient physical measures had not been implemented to stop ePHI from being accessed by unauthorized individuals – A violation of 45 C.F.R. §164.310(c)).
Unique identifiers/usernames had not been properly assigned, which stopped UMMC from being able to track which individuals had accessed ePHI – A violation of 45 C.F.R. § 164.312 (a)(2)(i).
UMMC had also violated the Breach Notification Rule by not informing patients whose ePHI was reasonably believed to have been accessed, acquired, used, or disclosed due to the data breach – A violation of 45 C.F.R. §164.404. UMMC had only posted a violation notice on its website and issued a release to the media.
An extensive CAP has been put in place to ensure that all potential HIPAA violations are addressed and privacy and security is brought up to the level deemed necessary by HIPAA. UMMC is also required to issue regular updates to OCR. The CAP will last for a duration of three years.
