The Department of Health and Human Services hit the University of Mississippi Medical Center (UMMC) with a $2.75 million fine over a health data breach, its second major privacy action in a week.
The HHS Office for Civil Rights (OCR) is penalizing UMMC for a series of alleged privacy and security violations of the Health Insurance Portability and Accountability Act, also known as HIPAA. The settlement relates to a password-protected laptop that went missing from the hospital’s intensive care unit in March 2013. After an investigation, the medical center determined the computer was likely stolen by a visitor who had asked to borrow it.
According to the Office of Civil Rights, the hospital’s network was easily accessed with a “generic” username and password, granting access to the protected health information of 10,000 patients. UMMC said the laptop was assigned to the unit, and while accessing the network required individual log-ins, accessing the patient record database did not.
The settlement also called for a three-year corrective action plan that addresses the deficiencies the agency found in its investigation. Specifically, officials alleged that the medical center failed to install physical safeguards for workstations containing protected data, failed to implement tracking features for users accessing electronic health information and failed to notify all individuals affected by the breaches. The medical center did not admit liability in the settlement.
In a statement, they admitted to some of the shortcomings but said that there is no evidence that any protected data were accessed.
“In the last several years, UMMC has initiated substantial improvements in its information security program," the statement reads. "Among other initiatives, the Medical Center is requiring that all laptop computers have encryption software installed, restructured the role and reporting relationships of its Chief Information Security Officer, and brought in an outside firm for a complete assessment and overhaul of its IT security program.”
On July 18, the Office of Civil Rights settled another HIPAA case with Oregon Health & Science University (OHSU) for $2.7 million after four breaches in 2012 and 2013 compromised the data of more than 3,000 individuals. In those cases, two unencrypted laptops and one unencrypted thumb drive were lost or stolen. Government officials also said the hospital failed to implement a required security agreement with a cloud service provider where health data were stored.
The university agreed to a three-year corrective action plan to address the alleged shortcomings in its security procedures, but the hospital did not admit liability in the settlement. The university said there have been no reports that the data have been mishandled and that it had expanded computer encryption software across its network.
The recent string of settlements highlights the OCR's intention to step up enforcement as health data breaches continue to make headlines. On June 29, OCR announced its first HIPAA settlement with a business associate, or contractor, that handles medical data for organizations like hospitals and insurance companies.
The fines come as the agency kicks off its highly anticipated second phase of HIPAA audits, after a long delay following its pilot program in 2012. On July 11, OCR notified 167 healthcare organizations — or covered entities, as they’re known under HIPAA — of their selection for the probe’s desk audit portion. The agency eventually plans to initiate on-site audits.
HHS is also looking to expand protections for health data that fall outside of the HIPAA framework, a growing gray area given the boom in mobile health apps and wearable technologies. Acting Assistant Secretary for Health Karen DeSalvo, the National Coordinator for Health Information Technology, on July 19 wrote a blog post urging Congress to expand protections for those types of health data. That same day, DeSalvo's office issued a report to Congress outlining how wearables fall through the HIPAA cracks.
This story was reported by The Hill Extra: Healthcare, launching this fall with subscriber-only access to breaking news and insider analysis of policy, regulation and legislation.
This story was updated on July 26 at 5:12 p.m.