Share this article on:
Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services’ Office for Civil Rights stemming from two data breaches experienced in 2013. A penalty of $2.7 million will be paid by OHSU to settle alleged HIPAA violations without admission of liability.
The privacy breaches occurred shortly after each other in 2013. Within the space of three months, the protected health information of over 7,000 patients was exposed.
The first breach of patient data involved the theft of an unencrypted laptop computer from a vacation apartment in Hawaii that was rented by an OHSU physician. The laptop computer contained the PHI of 4,022 patients.
The second incident involved the accidental disclosure of PHI via a cloud storage service. Physicians were using the Internet service to share a spreadsheet containing patient data. However, the cloud service provider was a HIPAA business associate of OHSU and no business associate agreement had been obtained prior to the service being used. Consequently, the data of 3,044 patients was placed at risk.
In addition to the hefty financial penalty, OHSU must adopt a robust corrective action plan (CAP) to ensure all security issues are addressed and patient privacy is adequately protected. The CAP – which will last for a period of three years – also requires OHSU to submit regular reports to the OCR.
Both data breaches triggered internal investigations and measures were put in place to improve security and keep the PHI of patients private. OHSU followed the requirements of the HIPAA Breach Notification Rule and informed patients of the breaches, issued media notices, and submitted reports to the OCR. Affected patients were also offered identity theft protection and credit monitoring services to help manage risk.
However, the OCR investigation revealed HIPAA Rules had been violated. Had HIPAA Rules been followed, the breaches could have been prevented and patient data would not have been placed at risk. Given the seriousness of the violations, a financial penalty was deemed to be appropriate.
According to a statement issued by OHSU’s CIO Brigdet Barnes, OHSU is now “investing at an unprecedented level in proactive measures to further safeguard patient information.”