OHSU pays $2.7 million fine to HHS Office for Civil Rights for two HIPAA breaches
Oregon Health and Science University said it will pay $2.7 million in fines for two HIPAA data breaches involving protected health information (PHI).
In addition to paying the fine to the Department of Health and Human Services Office for Civil Rights, OHSU also agreed to “a rigorous three-year corrective action plan,” OHSU officials noted on its website.
The first breach involved a stolen laptop while the second one resulted from the use of a cloud storage service without a business associate agreement.
OHSU stated that to date no harm has been reported by any patients. The university notified 4,022 patients regarding the laptop theft and 3,044 patients regarding the cloud storage incident.
CIO Bridget Barnes said in a statement that the two breaches were stark reminders that OHSU must be vigilant in protecting health data.
“We made significant data security enhancements at the time of the incidents and now are investing at an unprecedented level in proactive measures to further safeguard patient information,” Barnes continued. “In the face of these challenges, OHSU is proactively working to ensure the creation of a sustainable gold standard for protected health information security and HIPAA compliance.”