U-Miss Medical Center gets $2.75M fine for HIPAA violations
The HHS Office for Civil Rights is continuing its aggressive effort of sanctioning covered entities and business associates who have run afoul of HIPAA privacy and security rules, this time taking aim at University of Mississippi Medical Center.
UMMC will pay a $2.75 million fine and enter into a resolution agreement and corrective action plan after an OCR investigation determined the hospital was aware of vulnerabilities to protected health information since at least April 2005—the compliance data of the HIPAA Security Rule. The agency contends that the organization took no meaningful action to mitigate risk until after the theft of a laptop in 2013. While the computer was password protected, it was not encrypted.
OCR also cited the fact that, while the hospital provided notice of the breach on its web site and to local media, it did not notify patients whose information was on the stolen laptop.
“OCR’s investigation revealed that ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password,” according to an OCR statement. “The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008.”
In the resolution agreement, OCR said the hospital failed to implement appropriate policies and procedures to comply with HIPAA and protect data. UMMC accepted the resolution agreement, but noted that the acceptance is not an admission of liability.
OCR charged that UMMC had not implemented security measures sufficient to reduce risks and vulnerabilities to reasonable and appropriate levels; failed to implement safeguards for all workstations accessing ePHI; failed to assign a unique username or number for identifying and tracking users; allowed employees to access ePHI on a shared department network drive through a generic account that prevented tracking; and failed “to notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach” after the discovery of the breach.
In a three-year corrective action plan, UMMC commits to designate a qualified employee to be the internal monitor of compliance with the plan, with at least 46 specific milestones of compliance expected to be completed.
In a statement, UMMC notes it has initiated substantial improvements in information security in recent years. Improvements include encryption of all laptops; restructuring of the role and reporting relationships of the chief information security officer; and implementing an outside assessment and overhaul of its IT security program.
“Our patients should never have to doubt that their privacy is a sacred trust that we are committed to protecting as part of our core ethical values,” says LouAnn Woodward, MD, vice chancellor for health affairs, in the statement. “We have learned from this experience and are working hard to ensure that our information security program meets or exceeds the highest standard.”
The resolution agreement and corrective action plan are available here.