On January 5, 2018, Oklahoma State University – Center for Health Sciences (OSU-CHS) reported a web server hacking incident to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). The subsequent OCR investigation determined multiple areas of noncompliance with the Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act (HIPAA). Yesterday, OCR announced that OSU-CHS agreed to settle the investigation and HIPAA compliance violations and has paid a financial penalty of $875,000. OSU-CHS will also implement a corrective action plan to address all areas of noncompliance.
The data breach in question was reported as occurring on November 7, 2017. The breach notifications issued to affected individuals and the Secretary of the HHS were therefore issued within the 60 days permitted by the HIPAA Breach Notification Rule. However, it was later reported that the security breach had occurred 20 months previously, on March 9, 2016.
One of the most important elements of HIPAA Security Rule compliance is conducting an accurate, comprehensive, organization-wide risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). OCR determined that an accurate risk assessment had not been conducted.
Whenever there are environmental or operational changes affecting the security of ePHI, HIPAA-covered entities are required to conduct an evaluation. An evaluation had not been performed. OSU-CHS also failed to implement appropriate audit controls, and there were security incident response and reporting failures. As a result of the incident, there was an impermissible disclosure of the ePHI of 279,865 individuals.
In total, OCR determined that there had been potential violations of 7 provisions of the HIPAA Rules and such widespread noncompliance warranted a financial penalty. OSU-CHS will also be closely monitored for HIPAA compliance and compliance with the corrective action plan for 2 years.
HIPAA-regulated entities need to ensure they are fully compliant with the HIPAA Rules. Had OSU-CHS been fully compliant, the attack and data breach may have been prevented. “HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”