2.75 Million Dollar HIPAA Settlement Reached with UMMC

Hot on the heels of the 2.7 million HIPAA breach settlement with Oregon Health & Science University comes news of another multi-million-dollar settlement with another university.

The Department of Health and Human Services’ Office for Civil Rights announced yesterday that University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. UMMC has also agreed to adopt a corrective action plan (CAP) to bring privacy and security standards up to the level required by HIPAA.

UMMC Investigated After Theft of Unencrypted Laptop Computer

The settlement stems from a breach of patients’ protected health information (PHI) in 2013. A laptop computer issued to UMMC’s Medical Intensive Care Unit (MICU) was discovered to be missing. The laptop computer contained the PHI of 500 patients. The data were not encrypted, although the laptop computer was password protected. The laptop is believed to have been stolen by a visitor who had asked about borrowing one of MICU’s laptops.

OCR conducted an investigation into the breach and discovered the exposure of 500 patients PHI was one of the least worrying issues. Potentially much more serious was the failure of UMMC to adequately secure its wireless network from external access. Investigators discovered 67,000 files were stored in an active directory, which included 328 files containing ePHI. A generic username and password had not been changed, which could have been exploited to gain access to the data of 10,000 patients that were stored on one of UMMC’s network drives.

Breach Investigation Revealed Multiple HIPAA Violations

Multiple violations of HIPAA Rules were also discovered. UMMC had failed to implement its policies and procedures to prevent, detect, contain, and correct security violations according to the resolution agreement.

A comprehensive risk assessment to identify potential risks to the confidentiality, integrity, and availability of ePHI had also not been satisfactorily conducted. Risks to ePHi had not been reduced to a reasonable and appropriate level, violating the HIPAA Security Rule 45 C.F.R. §164.308(a)(1)(i).

Sufficient physical controls had not been implemented to prevent ePHI from being accessed by unauthorized individuals – A violation of 45 C.F.R. §164.310(c)).

Unique identifiers/usernames had not been assigned, which prevented UMMC from being able to track which individuals had accessed ePHI – A violation of 45 C.F.R. § 164.312 (a)(2)(i).

UMMC had also violated the Breach Notification Rule by failing to inform patients whose ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the data breach – A violation of 45 C.F.R. §164.404. UMMC had only posted a breach notice on its website and issued a notification to the media.

An extensive CAP has been adopted to ensure that all potential HIPAA violations are addressed and privacy and security is brought up to the level required by HIPAA. UMMC is also required to issue regular reports to OCR. The CAP will last for a period of 3 years.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.