University of Washington Medicine School Fined $750,000

University of Washington Medicine has agreed to settle a HIPAA fine of $750,000, for potential HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights, arising from a 90,000-record data breach experienced in 2013.

There has been an increase of HIPAA enforcement activity recently. Initially came news of a $90,000 settlement between the Connecticut OIG and Hartford Hospital in late November, followed by the announcement of a $850,000 settlement between OCR and Lahey Hospital and Medical Center. Then there another announcement of a $3.5 million settlement between OCR Tripe-S of Puerto Rico, and now University of Washington Medicine has agreed to settle potential HIPAA breaches with OCR.

On November 27, 2013, University of Washington Medicine made a data breach that exposed the Protected Health Information (PHI) of approximately 90,000 UWM patients known to the OCR. The data breach occurred adue to an employee falling for an email scam. A file included with a spam email was opened by the employee, which resulted in malware being installed on the healthcare provider’s computer network system. The malware infection lead to hackers obtaining the PHI of approximately 15,000 patients, including their Social Security numbers. The PHI of almost 76,000 other UWM patients was also compromised as a result of the security violation.

OCR carries out investigations into all data breaches involving the exposure of more than 500 records, and often multiple violations of HIPAA Rules are found. OCR investigators found one potential HIPAA Security Rule violation.

The Security Rule calls for all HIPAA-covered bodies to conduct a thorough risk analysis – 45 C.F.R. § 164.308(a)(1)(i) – to assess for security vulnerabilities that could potentially place the electronic Protected Health Information (ePHI) of patients at risk of exposure. Covered bodies must identify and address all risks to the confidentiality, integrity, and availability of e-PHI in order to adhere with this aspect of the HIPAA Security Rule.

UWM had completed a risk analysis; however, OCR investigators ruled that it was not comprehensive, and did not cover all bodies affiliated with University of Washington Medicine, including University of Washington Medical Center, which is the main teaching center of UWM.

UWM agreed to settle the case with OCR with no admission of liability. A fine of $750,000 must be paid to OCR, and UWM has also agreed to implement an action plan to address HIPAA failures. UWM must finish a comprehensive risk analysis, including all aspects missed from the HIPAA Meaningful Use risk assessment carried out in August 2014. UWM must also conduct further risk reviews as and when necessary. At a the very least, an annual risk analysis must be conducted. Reports of these risk analyses must be filed to OCR. After each risk analysis, UWM must put in place a risk management plan and ensure that all security vulnerabilities found during the risk analysis are addressed. The risk management plan must also be filed to OCR.

UWM has also agreed to file other reports to OCR, and will comply with the document retention recommendations. The full resolution agreement can be viewed here.