Oklahoma State University Settles HIPAA Case with OCR for $875,000

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules.

OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals.

The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach occurred on November 7, 2017; however, it was later reported that the hackers first had access to the ePHI of patients 20 months earlier on March 9, 2016,

OCR investigators determined OSU-CHS had potentially violated the following provisions of the HIPAA Rules:

Please see the HIPAA Journal Privacy Policy

  • Impermissible disclosure of the ePHI of 279,865 individuals – 45 C.F.R. § 164.502(a)
  • Failure to conduct a comprehensive and accurate organization-wide risk analysis –45 C.F.R. § 164.308(a)(l)(ii)(A)
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI – 45 C.F.R. 164.308(a)(8)
  • Failure to implement audit controls – 45 C.F.R. § 164.312(b)
  • A security incident response and reporting failure – 45 C.F.R. § 164.308(a)(6)(ii)
  • Failure to provide timely breach notification to affected individuals – 45 C.F.R. § 164.404
  • Failure to provide timely breach notification to the Secretary of the HHS – 45 C.F.R. § 164.408

In addition to the financial penalty, OSU-CHS has agreed to implement a corrective action plan to resolve all areas of non-compliance identified by OCR and will be closely monitored for compliance with the corrective action plan and the HIPAA Rules for two years. The case was settled with no admission of liability or wrongdoing.

“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”

This is the fifth financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, and the 111th penalty to be imposed since OCR was given the authority to fine HIPAA-regulated entities for HIPAA violations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.