The Oklahoma State University’s Center for Health Sciences (OSUCHS) has recently agreed to pay a financial penalty of $875,000 to resolve potential violations to several HIPAA Rules. The agreement comes after an investigation of a data breach conducted by the Department of Health and Human Services’ Office for Civil Rights (OCR).
The OSUCHS is an academic health center that offers preventative, therapeutic, and diagnostic care. The center detected a breach of data on November 7, 2017. The university discovered that an unauthorized third party had gained access to the OSUCHS university and potentially recovered records of roughly 280,000 Medicaid patients. An investigation was immediately launched to determine how the center’s web server had been accessed, what sections had been accessed, and whether patient information was recovered. The results of which found that hackers had installed malware on the center’s server and utilized it to access patient information. The information accessed included names, addresses, date of births, healthcare provider names, Medicaid numbers, and treatment information. Although the breach was first claimed to have occurred on November 7, 2017, it was later discovered that the hackers first had access to the patient data on March 9, 2016.
The OCR claims that OSUCHS may have violated a multitude of HIPAA regulations. The potential violations include the impermissible disclosure of ePHI, failure to implement audit controls, failure to provide timely breach notification to the Secretary of the HHS and affected individuals, failure to conduct a suitable risk-analysis, and failure to perform periodic evaluations in response to changes affecting the security of the ePHI they maintain. The OCR ordered Oklahoma State University to pay a financial penalty amounting to $875,000 for the violations. The center will also have to construct and implement a Corrective Action Plan to ensure further HIPAA violations do not occur. In addition, the OCR will supervise the center’s compliance to HIPAA law for the next 2 years. The University has not declared any acknowledgement of guilt or culpability despite settling with a sizable financial penalty and Corrective Action Plan mandate.