University of Washington Medicine has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights, and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013
Flurry of HIPAA Enforcement Activity as 2015 Draws to a Close
There has been a flurry of HIPAA enforcement activity over the past few weeks. First came news of a $90,000 settlement between the Connecticut OIG and Hartford Hospital in late November, then news of a $850,000 settlement between OCR and Lahey Hospital and Medical Center. That was closely followed by the announcement of a $3.5 million settlement between OCR Tripe-S of Puerto Rico, and now University of Washington Medicine has agreed to settle potential HIPAA violations with OCR.
Spam Email Behind 90,000-Record Data Breach
On November 27, 2013, University of Washington Medicine alerted OCR to a data breach that exposed the Protected Health Information (PHI) of approximately 90,000 UWM patients. The data breach occurred as a result of an employee falling for an email scam. A file attached to a spam email was opened by the employee, which resulted in malware being installed on the healthcare provider’s computer network. The malware infection resulted in hackers obtaining the PHI of approximately 15,000 patients, including their Social Security numbers. The PHI of approximately 76,000 other UWM patients was also compromised as a result of the security breach.
OCR Investigation Reveals Potential HIPAA Security Rule Violation
OCR conducts investigations into all data breaches involving the exposure of more than 500 records, and oftentimes multiple violations of HIPAA Rules are discovered. In this case, OCR investigators discovered one potential HIPAA Security Rule violation.
The Security Rule calls for all HIPAA-covered entities to conduct a comprehensive risk analysis – 45 C.F.R. § 164.308(a)(1)(i) – to assess for security vulnerabilities that could potentially place the electronic Protected Health Information (ePHI) of patients at risk of exposure. Covered entities must identify and address all risks to the confidentiality, integrity, and availability of e-PHI in order to comply with this aspect of the HIPAA Security Rule.
UWM had conducted a risk analysis; however, OCR investigators discovered that it was not comprehensive, and did not cover all entities affiliated with University of Washington Medicine, including University of Washington Medical Center, which is the main teaching hospital of UWM.
$750,000 HIPAA Breach Settlement and Corrective Action Plan
UWM agreed to settle the case with OCR without admission of liability. A fine of $750,000 must be paid to OCR, and UWM has also agreed to an action plan to address HIPAA failures. UWM must conduct a comprehensive risk analysis, including all aspects missed from the HIPAA Meaningful Use risk assessment conducted in August 2014. UWM must also conduct further risk analyses as and when appropriate. At a minimum, an annual risk analysis must be conducted. Reports of these risk analyses must be submitted to OCR. After each risk analysis, UWM must formulate a risk management plan and ensure that all security vulnerabilities discovered during the risk analysis are addressed. The risk management plan must also be submitted to OCR.
UWM has also agreed to submit other reports to OCR, and will adhere to document retention recommendations. The full resolution agreement can be downloaded here.