HIPAA breach leads to first-ever 'neglect' settlement for a healthcare provider

A recent, first-of-its-kind HIPAA settlement demonstrates that long-term care and other providers need to be vigilant about updating software and other basic security tasks, officials say.

Anchorage Community Mental Health Services in Alaska has agreed to a $150,000 settlement related to a data breach that the five-facility organization self-reported to the Department of Health and Human Services Office for Civil Rights, according to a recent bulletin from that agency. It is the first settlement related to “neglect” of systems, because the breach was traced to the provider's failure to “address basic risks,” such as running outdated software and failing to install patches.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI [electronic personal health information] on a regular basis,” stated OCR Director Jocelyn Samuels. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

The breach was caused by malware and affected the information of more than 2,700 people, according to the OCR. The healthcare provider was cooperative with the investigation and has agreed to a corrective action plan, according to authorities.

The agreement is not an admission of liability on the part of Anchorage Community Mental Health Services.