Outdated, unsupported software led to malware infection

HHS slaps provider with $150K bill for HIPAA breach

By Erin McCann
10:55 AM
A five-facility mental health organization in Alaska has agreed to pay up and shape up its HIPAA compliance program after a Department of Health and Human Services investigation found the group failed to appropriately safeguard patient data.
 
Anchorage Community Mental Health Services will pay $150,000 to HHS to settle potential HIPAA violations after the organization failed to patch their systems and continued to run outdated, unsupported software that eventually led to a malware data breach affecting 2,743 individuals. ACMHS reported the breach to HHS back in March 2012.
 
 
Following the investigation by the Office for Civil Rights, the HHS division responsible for HIPAA enforcement, officials discovered ACMHS had adopted HIPAA security policies and procedures, but they were not followed by the organization's employees for a seven-year period, from 2005 to 2012.
 
The data breach of electronic protected health information resulted after ACMHS failed to "identify and address basic risks," OCR officials wrote in settlement bulletin. Specifically, the organization neglected to update IT resources with system patches and updated software. 
 
"Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," said OCR Director Jocelyn Samuels, in the December bulletin. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."
 
In addition to the $150,000 settlement, Anchorage Community Mental Health Services will also be required to implement a corrective action plan and subsequently report to OCR on its compliance program. 
 
 
To date, nearly 41.5 million people have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to the most recent HHS data. 
 
In its most recent settlement before ACMHS, HHS in June slapped the six-hospital Parkview Health System in Fort Wayne, Indiana, with an $800,000 settlement after Parkview dumped 71 boxes of patient records in the driveway of a retiring physician's home while she was away. According to the complaint, the medical records were "unattended and accessible to unauthorized persons" on the physician's driveway, located in a "heavily trafficked" area.
 
 
Earlier this year, OCR also set records after announcing its largest monetary settlement ever with New York-Presbyterian Hospital and Columbia University Medical Center, who together agreed to hand over a whopping $4.8 million to settle alleged HIPAA violations after the electronic protected health information of 6,800 patients wound up on Google back in 2010. 
 
To date, OCR has levied some $26 million in monetary settlements against 24 HIPAA-covered entities found to have violated privacy, security and breach notification rules