OHSU Pays $2.7 Million for HIPAA Breach
Oregon Health and Science University (OHSU) has reached a HIPAA settlement with the Department of Health and Human Services’ Office for Civil Rights (OCR) over two breaches that occurred in 2013. In the agreement, which contains a three-year corrective action plan, OHSU agrees to pay $2.7 million to federal regulators. It is the OCR’s eighth such HIPAA settlement this year.
The two breaches affected over 7,000 people in total. In the first, an unencrypted laptop was stolen from a surgeon’s rental home, while the second involved using a cloud based storage service without a business associate agreement. The second breach involved physicians posting spreadsheets with patient data using cloud based email and storage services from Google.
The OCR’s investigation found that while OHSU performed risk analyses they failed to enact measures to address those risks. OHSU also did not have procedures to prevent, detect, contain, and correct security violations, nor did they have a system in place to encrypt electronic protected health information (ePHI).
As part of the agreement OHSU has to implement a rigorous three-year action plan. In it they have to do a thorough system-wide risk assessment on ePHI vulnerabilities. They need to develop a risk management plan to deal with those vulnerabilities had have safeguards in the interim. Additionally, OHSU needs to keep HHS updated on their encryption status and properly train employees in security awareness.
It’s believed that OHSU receive such a significant penalty due to having previously been responsible for other breaches. One of those included the theft of a USB drive that contained the ePHI of 14,000 pediatric patients in 2012.