Weak IT system brings first HIPAA provider settlement

Data breaches are becoming more common - and costly.
Data breaches are becoming more common - and costly.

A first-of-its-kind HIPAA settlement demonstrates that long-term care needs to be vigilant about updating software and other basic security tasks, officials say.

In December, Anchorage Community Mental Health Services in Alaska agreed to a $150,000 settlement related to a data breach that the organization self-reported to the U.S. Department of Health and Human Services Office for Civil Rights.

It is the first settlement related to “neglect” of systems, because the breach was traced to the provider's failure to “address basic risks,” such as running outdated, unsupported software and failing to install patches.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI [electronic personal health information] on a regular basis,” stated OCR Director Jocelyn Samuels. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

OCR officials opened an investigation after ACMHS notified them about a breach of unsecured ePHI affecting more than 2,700 individuals due to malware compromising the security of its information technology resources. The investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but that these were not followed.

The provider was cooperative with the investigation and agreed to a corrective action plan, authorities said. ACMHS is also required to report on the state of its compliance to OCR for a two-year period. The agreement is not an admission of liability on the part of Anchorage Community Mental Health Services.

To assist organizations that handle protected health information in conducting a review of safeguards, the government offers a Security Rule Risk Assessment Tool, available at www.healthit.gov