[BreachExchange] $2.7 Million HIPAA Penalty for Two Smaller Breaches

[Audrey McNeil]

http://www.databreachtoday.com/27-million-hipaa-penalty-for-two-smaller-breaches-a-9270

In the wake of two 2013 breaches that affected a total of 7,066
individuals, Oregon Health & Science University says it will pay $2.7
million in a HIPAA settlement with federal regulators that includes a
three-year corrective action plan.

The resolution agreement with OHSU is the Department of Health and Human
Services' Office for Civil Rights' eighth HIPAA settlement so far this year
and the 35th since 2008.

In a July 13 statement, OHSU says it signed a resolution agreement with OCR
following the HIPAA-enforcement agency's investigation into the two
breaches.

The first incident, which impacted 4,022 individuals, involved an
unencrypted laptop that was stolen from a surgeon's vacation rental home in
Hawaii in February 2013 (see Stolen Laptops Lead Breach Roundup).

The second 2013 breach, which affected 3,044 individuals, involved OHSU's
use of a cloud-based storage service without a business associate
agreement, OHSU says.

That breach - which was actually two related incidents - involved
physicians-in-training from two OHSU medical departments inappropriately
posting unencrypted spreadsheets of patient information using cloud-based
email and document storage services from Google. OHSU did not have a
business associate agreement with Google (see HIPAA Breaches in the Cloud).

A statement issued by OHSU at the time of the breach noted that although
Google Drive and Google Mail are password-protected and have security
measures and policies in place to protect information, Google "is not an
OHSU business associate with a contractual agreement to use or store OHSU
patient health information."

As to circumstances involving OHSU's breaches leading to the OCR
settlement, "The lessons are the same as ever: A mature, robust information
security program is what's needed to protect PHI and all other information
assets," says privacy and security expert Kate Borten, founder of
consulting firm The Marblehead Group.

Privacy attorney Kirk Nahra of the law firm Wiley Rein says he suspects the
substantial financial penalty for the relatively small breaches likely
reflected the fact that OHSU had also previously reported other breaches to
OCR. That includes a 2012 incident involving the theft of an unencrypted
USB drive containing PHI of 14,000 pediatric patients from the home of a
OHSU hospital employee

"I presume that the history here mattered more than the volume" of
individuals affected by the breaches at the center of the OHSU resolution
agreement," Nahra says.

Taking Action

The OHSU resolution agreement with OCR also includes "a rigorous three-year
corrective action plan," the organization says.

"We made significant data security enhancements at the time of the
incidents and now are investing at an unprecedented level in proactive
measures to further safeguard patient information," says Bridget Barnes,
OHSU's CIO.

"In the coming weeks, OHSU will engage an external information security
consultant and convene a multidisciplinary steering committee from across
the university to help us meet the requirements of the corrective action
plan," she says. "Over the next few months and beyond, OHSU integrity and
information security experts will work with the consultant and our steering
committee to identify patient information security risks or
vulnerabilities, and make regular reports to OCR, and implement any
necessary mitigation strategies."

While patients and healthcare providers benefit significantly from access
to electronic health records and emails from various devices and locations,
the access comes with new security challenges, Barnes says. "In the face of
these challenges, OHSU is proactively working to ensure the creation of a
sustainable gold standard for protected health information security and
HIPAA compliance."

OHSU declined an Information Security Media Group request for additional
comment on the OCR settlement and corrective action plan.

An OCR spokeswoman declined to comment on the settlement, saying the agency
planned to soon release a statement about the OHSU matter and to post the
resolution agreement online.

Other Settlements

So far in 2016, two other HIPAA settlements also focused on the absence of
business associate agreements. Those include a $1.55 million settlement in
March with North Memorial Health Care and a $750,000 settlement in April
with Raleigh Orthopaedic Clinic, P.A. of North Carolina.

Also, since 2008, OCR has issued several resolution agreements with covered
entities related to breach investigations stemming from the theft or loss
of unencrypted mobile computing devices and storage media.

One of the largest such settlements was a $1.7 million OCR resolution
agreement with Alaska Department of Health and Human Services in 2012 over
a 2009 breach involving a stolen USB drive containing protected health
information of only 501 people.

Alaska DHHS was also cited for a list of other security shortcomings
uncovered by OCR during its breach investigation at the state agency,
including the lack of a comprehensive risk analysis.

Busy Time

The announcement of the settlement between OHSU and OCR came near the end
of a busy week of activity at OCR.

That includes OCR issuing new ransomware guidance, as well the agency
announcing that 167 covered entities have been notified of being chosen for
desk audits in phase two of OCR's HIPAA compliance audit program (see
Organizations Facing HIPAA Audits Notified).

But despite all the recent OCR actions, "I see this activity as mainly a
coincidence, not more than that," Nahra says.

But Borten says there could potentially be other factors driving the flurry
of recent OCR activity. "Every new [presidential] administration, even of
the same party, has its own agenda and priorities," she notes. "There's no
guarantee that the current HHS leaders and their goals will continue into
the next administration."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160719/e402b039/attachment.html>