HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Oregon Health & Science University to Pay OCR $2.7 Million for 2013 Data Breaches

Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services’ Office for Civil Rights stemming from two data breaches experienced in 2013. A penalty of $2.7 million will be paid by OHSU to settle alleged HIPAA violations without admission of liability.

The privacy breaches occurred shortly after each other in 2013. Within the space of three months, the protected health information of over 7,000 patients was exposed.

The first breach of patient data involved the theft of an unencrypted laptop computer from a vacation apartment in Hawaii that was rented by an OHSU physician. The laptop computer contained the PHI of 4,022 patients.

The second incident involved the accidental disclosure of PHI via a cloud storage service. Physicians were using the Internet service to share a spreadsheet containing patient data. However, the cloud service provider was a HIPAA business associate of OHSU and no business associate agreement had been obtained prior to the service being used. Consequently, the data of 3,044 patients was placed at risk.

Please see the HIPAA Journal Privacy Policy

In addition to the hefty financial penalty, OHSU must adopt a robust corrective action plan (CAP) to ensure all security issues are addressed and patient privacy is adequately protected. The CAP – which will last for a period of three years – also requires OHSU to submit regular reports to the OCR.

Both data breaches triggered internal investigations and measures were put in place to improve security and keep the PHI of patients private. OHSU followed the requirements of the HIPAA Breach Notification Rule and informed patients of the breaches, issued media notices, and submitted reports to the OCR. Affected patients were also offered identity theft protection and credit monitoring services to help manage risk.

However, the OCR investigation revealed HIPAA Rules had been violated. Had HIPAA Rules been followed, the breaches could have been prevented and patient data would not have been placed at risk. Given the seriousness of the violations, a financial penalty was deemed to be appropriate.

According to a statement issued by OHSU’s CIO Brigdet Barnes, OHSU is now “investing at an unprecedented level in proactive measures to further safeguard patient information.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.