HIPAA and Compliance News

Oklahoma State University Agrees to $875K OCR Data Breach Settlement

Oklahoma State University – Center for Health Sciences (OSU-CHS) paid $875,000 to OCR in a data breach settlement and agreed to a corrective action plan.

Oklahoma State University Agrees to $875K OCR Data Breach Settlement

Source: Getty Images

By Jill McKeon

- Oklahoma State University – Center for Health Sciences (OSU-CHS) agreed to pay the HHS Office for Civil Rights (OCR) $875,000 in a data breach settlement. OSU-CHS also agreed to implement a corrective action plan to settle potential violations of the HIPAA Security, Privacy, and Breach Notification Rules.

OSU-CHS filed a breach report with OCR on January 5, 2018, explaining that an unauthorized party had gained access to a web server containing electronic protected health information (ePHI). OSU-CHS initially told OCR that the incident occurred on November 7, 2017, but later reported that the ePHI was first exposed on March 9, 2016. At the time of the breach in 2016, OCR-CHS was unaware that there was ePHI stored on that specific server.

The unauthorized party installed malware and potentially exposed the ePHI of 279,865 individuals. The accessed files included Medicaid numbers, names, dates of services, dates of birth, healthcare provider names, treatment information, and addresses.

“OCR’s investigation found potential violations of the HIPAA Rules including impermissible uses and disclosures of PHI; failure to conduct an accurate and thorough risk analysis; failure to perform an evaluation, failures to implement audit controls, security incident response and reporting, and failure to provide timely breach notification to affected individuals and HHS,” OCR stated.

As part of its corrective action plan, OSU-CHS must conduct a comprehensive security risk analysis across its organization and develop updated policies and procedures for safeguarding ePHI. Among other measures, OSU-CHS will also be required to provide HHS with training materials for the protection of PHI given to all members of its workforce who handle PHI.

The corrective action plan includes two years of monitoring along with annual reports and implementation reports. Within 60 days of the effective date, OSU-CHS must designate an individual or entity to be a monitor and review the organization’s compliance with its corrective action plan.

“HIPAA covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” Lisa J. Pino, director of OCR, explained in the press release.

“Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”

The settlement does not constitute an admission of guilt by OSU-CHS.