Oklahoma State University – Center for Health Sciences (OSU-CHS) has paid $875,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) stemming from a data breach that compromised the information of nearly 280,000 patients.
Payment was made to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), with the university also agreeing to develop a corrective action plan that includes two years of monitoring.
A provider of preventative, rehabilitative and diagnostic care, OSU-CHS filed a breach report in January 2018, saying that an unauthorized third party accessed its web server and installed malware that exposed the electronic protected health information for 279,865 individuals.
Data disclosed included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. The university originally said the breach occurred in November 2017, but later said it was in March 2016.
Upon investigating the matter, OCR found the OSU-CHS’ actions possibly violated HIPAA Privacy, Security, and Breach Notification Rules. Among them were impermissible uses and disclosures of PHI; failure to conduct an accurate and thorough risk analysis; failure to perform an evaluation; failures to implement audit controls, security incident response and reporting; and failure to provide timely breach notification to affected individuals and HHS.
“HIPAA-covered entities are vulnerable to cyberattackers if they fail to understand where ePHI is stored in their information systems. Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements,” said OCR Director Lisa Pino in a statement.
In an op-ed published by JD Supra, software company Abyde, which manufactures solutions for educating medical practices about HIPAA compliance,
wrote that the settlement amount signifies that “even for huge organizations like OSU, the right risk analysis practices and HIPAA-compliant policies are a must in order to prevent impermissible safeguarding or access to ePHI.”