The Cost of Lacking Security: OHSU HIPAA Settlement

Data breach

One data breach is enough to wreak havoc on any organization. The damage one could do to your relationship with customers could be catastrophic for your business, and the fallout can cause you to rethink your entire security strategy.

To add insult to injury, there are also typically steep financial penalties.

Healthcare Info Security recently reported on data breaches suffered by Oregon Health & Science University (OHSU) and the HIPAA settlement they will have to pay. OHSU now owes $2.7 million stemming from two 2013 data breaches that affected over 7,066 individuals. One breach involved the theft of an unencrypted laptop from a surgeon’s rental vacation home, while the other was from OHSU using a cloud storage system without the proper security measures in place.

Additionally, OHSU must now work with federal regulators to ensure they are following a three-year corrective action plan built to correct the many lapses in their security profile that led to these breaches.

Failing to Comply

OHSU has no one to blame but themselves for this breach. Healthcare Info Security reports that OHSU conducted risk analyses in 2003, 2005, 2006, 2008, 2010 and 2013, but they weren’t as thorough as they could have been and failed to take the appropriate steps to shore up their security. This includes failing to implement policies and procedures to safeguard against attacks like the ones they would eventually suffer.

The Office of Civil Rights (OCR) weighed in on OHSU’s breaches, with OCR Director Joceyln Samuels notably stating:

“From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI (electronic protected health information). This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

This just goes to show just how serious these risks can be. Adhering to regulations is important not only to avoid crippling financial penalties, but also to avoid further oversight.

More Regulations

Going forward, OHSU must stick to a strict three-year action plan developed to correct the errors in their security profile. Some key parts of this plan include:

  • A thorough assessment of potential risks and vulnerabilities to ePHI housed at all OHSU facilities, networks, systems and devices that handle ePHI in any way.
  • Creation of a comprehensive risk management plan that sets in stone OHSU’s cybersecurity strategy. This includes outlining a timeline to fix all errors, put proper controls into place, and ensure all devices that can access the organizations ePHI are properly encrypted.
  • Training of OHSU’s staff in security awareness and effectively communication to the OHSU community regarding their new commitment to enterprise encryption.

OHSU’s settlement and regulation comes on the heels of several others handed out in 2016, including $1.55 million in March from North Memorial Health Care and $750,000 in April from Raleigh Orthopedic Clinic, P.A. of North Carolina.

The lesson here?

Ensure you are taking the necessary steps to remain compliant to regulations and to keep your security profile up-to-date. Schedule periodic comprehensive IT security assessments from compliance experts, and take the findings to heart so that you can keep your business and client data safe.

Posted in BAI Security Blog and tagged , , , , .