$400,000 Penalty in HIPAA Case

Idaho State University Cited After Breach Investigation
$400,000 Penalty in HIPAA Case

Federal regulators have demonstrated yet again that an investigation of a relatively small breach incident can result in a substantial penalty for HIPAA non-compliance.

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

Idaho State University has agreed to pay $400,000 as part of a resolution agreement stemming from an incident it reported in August 2011 that potentially could have exposed information on 17,500 patients at the university's Pocatello Family Medicine Clinic. Patient information was vulnerable for at least 10 months because a firewall protecting a server was disabled, according to the Department of Health and Human Services' Office for Civil Rights.

"The firewall was disabled for maintenance purposes, and, unfortunately, was not restored properly," Gregory Ehardt, HIPAA assistant compliance officer at Idaho State University, told Information Security Media Group. "We did not have the proper security measures at Pocatello Family Medicine at the time."

But the security lapse did not result in inappropriate access to "individually identifiable information" stored on a server that was protected by the firewall, Ehardt says. "After thorough due diligence and an external audit, we determined that no patient records were accessed and the data was not compromised."

University Accepts Findings

The university accepts all of the findings of OCR's investigation, Ehardt adds. "After working closely with OCR for over a year, we were prepared to accept their findings and learn from this experience," he says.

OCR reports that its investigation determined that the university had not conducted risk analyses for its clinics for five years. "OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI [electronic protected health information] and did not have procedures for routine review of their information in place, which could have detected the firewall breach much sooner," according to an OCR release.

The university agreed to a comprehensive corrective action plan that calls for, among other steps, updating a risk management plan and conducting an updated HIPAA compliance gap analysis.

HIPAA Enforcement Efforts

As part of its ramped-up HIPAA enforcement efforts, OCR has issued hefty penalties in the wake of other investigations of relatively small breach incidents.

For example, it entered a resolution agreement with Massachusetts Eye and Ear Infirmary that included a $1.5 million penalty. That investigation, which identified HIPAA non-compliance issues, was triggered by a laptop theft that affected about 3,500 patients. Also, the Alaska Department of Health and Social Services paid a $1.7 million settlement as part of a resolution agreement related to a pattern of non-compliance discovered by OCR when it investigated the theft of a stolen unencrypted storage device that allegedly contained data on about 500 Medicaid beneficiaries (see: Another Big Fine After a Small Breach).

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.