University of Washington Medicine School Fined $750,000

by | Dec 15, 2015

University of Washington Medicine has agreed to settle a HIPAA fine of $750,000, for potential HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights, arising from a 90,000-record data breach experienced in 2013.

There has been an increase of HIPAA enforcement activity recently. Initially came news of a $90,000 settlement between the Connecticut OIG and Hartford Hospital in late November, followed by the announcement of a $850,000 settlement between OCR and Lahey Hospital and Medical Center. Then there another announcement of a $3.5 million settlement between OCR Tripe-S of Puerto Rico, and now University of Washington Medicine has agreed to settle potential HIPAA breaches with OCR.

On November 27, 2013, University of Washington Medicine made a data breach that exposed the Protected Health Information (PHI) of approximately 90,000 UWM patients known to the OCR. The data breach occurred adue to an employee falling for an email scam. A file included with a spam email was opened by the employee, which resulted in malware being installed on the healthcare provider’s computer network system. The malware infection lead to hackers obtaining the PHI of approximately 15,000 patients, including their Social Security numbers. The PHI of almost 76,000 other UWM patients was also compromised as a result of the security violation.

OCR carries out investigations into all data breaches involving the exposure of more than 500 records, and often multiple violations of HIPAA Rules are found. OCR investigators found one potential HIPAA Security Rule violation.

The Security Rule calls for all HIPAA-covered bodies to conduct a thorough risk analysis – 45 C.F.R. § 164.308(a)(1)(i) – to assess for security vulnerabilities that could potentially place the electronic Protected Health Information (ePHI) of patients at risk of exposure. Covered bodies must identify and address all risks to the confidentiality, integrity, and availability of e-PHI in order to adhere with this aspect of the HIPAA Security Rule.

UWM had completed a risk analysis; however, OCR investigators ruled that it was not comprehensive, and did not cover all bodies affiliated with University of Washington Medicine, including University of Washington Medical Center, which is the main teaching center of UWM.

UWM agreed to settle the case with OCR with no admission of liability. A fine of $750,000 must be paid to OCR, and UWM has also agreed to implement an action plan to address HIPAA failures. UWM must finish a comprehensive risk analysis, including all aspects missed from the HIPAA Meaningful Use risk assessment carried out in August 2014. UWM must also conduct further risk reviews as and when necessary. At a the very least, an annual risk analysis must be conducted. Reports of these risk analyses must be filed to OCR. After each risk analysis, UWM must put in place a risk management plan and ensure that all security vulnerabilities found during the risk analysis are addressed. The risk management plan must also be filed to OCR.

UWM has also agreed to file other reports to OCR, and will comply with the document retention recommendations. The full resolution agreement can be viewed here.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy