Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking HIPAA Breach

The Office for Civil Rights (OCR) announced a settlement with Oklahoma State University – Center for Health Services (OSU-CHS) related to a hacking incident that compromised the protected health information (PHI) of 279,865 individuals.

The settlement arose after OSU-CHS’s submission of a required breach notification report to OCR disclosing the hacking incident on January 5, 2018. In the report, OSU-CHS indicated that on November 7, 2017, an unauthorized third party gained access to an OSU-CHS web server by uploading malware. The compromised server contained patients’ names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. Additionally, during OCR’s investigation following the breach report, it found that OSU-CHS failed to identify and timely disclose an earlier hack that affected PHI; the university was unaware that the affected server in the prior incident contained PHI. This failure to recognize and promptly report the previous breach was cited by OCR as evidence of a lack of proper procedures and compliance measures.

OSU-CHS agreed to pay $875,000 and implement a corrective action plan (CAP) to settle potential violations of HIPAA related to the breaches and other areas of alleged noncompliance. The CAP will remain in effect for 2 years and adds an additional level of oversight for OSU-CHS.

OCR has made clear, through its settlements and otherwise, that it uses the mandatory breach reporting requirement of HIPAA to evaluate which covered entities and business associates to audit. Moreover, when OCR performs these audits, they are often not limited to an evaluation of the specific breach incident and instead review an organization’s HIPAA compliance more wholistically.

How Frier Levitt Can Help

As underscored by this latest settlement, fines related to HIPAA breaches and compliance issues identified by OCR may occur years after a reported breach. HIPAA covered entities and their business associates should take note of OCR’s enforcement activities and ensure that they implement appropriate policies and procedures to reasonably protect PHI, frequently conduct mandatory risk assessments to evaluate threats and vulnerabilities to their organizations, and timely respond to and report any breaches of PHI. Contact Frier Levitt for assistance in developing or reviewing your company’s HIPAA compliance plans.