$400,000 Penalty in HIPAA CaseIdaho State University Cited After Breach Investigation
Idaho State University has agreed to pay $400,000 as part of a resolution agreement stemming from an incident it reported in August 2011 that potentially could have exposed information on 17,500 patients at the university's Pocatello Family Medicine Clinic. Patient information was vulnerable for at least 10 months because a firewall protecting a server was disabled, according to the Department of Health and Human Services' Office for Civil Rights.
"The firewall was disabled for maintenance purposes, and, unfortunately, was not restored properly," Gregory Ehardt, HIPAA assistant compliance officer at Idaho State University, told Information Security Media Group. "We did not have the proper security measures at Pocatello Family Medicine at the time."
But the security lapse did not result in inappropriate access to "individually identifiable information" stored on a server that was protected by the firewall, Ehardt says. "After thorough due diligence and an external audit, we determined that no patient records were accessed and the data was not compromised."
University Accepts Findings
The university accepts all of the findings of OCR's investigation, Ehardt adds. "After working closely with OCR for over a year, we were prepared to accept their findings and learn from this experience," he says.
OCR reports that its investigation determined that the university had not conducted risk analyses for its clinics for five years. "OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI [electronic protected health information] and did not have procedures for routine review of their information in place, which could have detected the firewall breach much sooner," according to an OCR release.
The university agreed to a comprehensive corrective action plan that calls for, among other steps, updating a risk management plan and conducting an updated HIPAA compliance gap analysis.
HIPAA Enforcement Efforts
As part of its ramped-up HIPAA enforcement efforts, OCR has issued hefty penalties in the wake of other investigations of relatively small breach incidents.
For example, it entered a resolution agreement with Massachusetts Eye and Ear Infirmary that included a $1.5 million penalty. That investigation, which identified HIPAA non-compliance issues, was triggered by a laptop theft that affected about 3,500 patients. Also, the Alaska Department of Health and Social Services paid a $1.7 million settlement as part of a resolution agreement related to a pattern of non-compliance discovered by OCR when it investigated the theft of a stolen unencrypted storage device that allegedly contained data on about 500 Medicaid beneficiaries (see: Another Big Fine After a Small Breach).