University of Washington Medicine pays $750,000 over security lapses tied to 2013 breach
The University of Washington Medicine will spend $750,000 to settle charges that it potentially violated the HIPAA Security Rule by failing to implement policies and procedures to prevent, detect, contain and correct security violations.
The HHS Office for Civil Rights, which is charged with upholding the HIPAA Privacy Rule, announced the terms of the settlement on December 14.
Specifically, OCR spotlighted insufficient risk analysis at UWM.
The primary teaching hospital of the University of Washington School of Medicine, UWM is an affiliated covered entity under HIPAA. As such, it must have in place appropriate policies and processes to assure HIPAA compliance with respect to each of the entities that are part of the affiliated group.
Besides paying a $750,000 settlement, UWM also agreed to a corrective action plan, and annual reports on the organization's compliance efforts.
OCR initiated its investigation of UWM following receipt of a breach report on Nov. 27, 2013, which indicated that the electronic protected health information of about 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization's IT system, affecting the data of two groups of patients: About 76,000 patients involving a combination of patient names, medical record numbers, dates of service and/or charges or bill balances and about 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, social security numbers, insurance identification or Medicare numbers.
[See also: Malware mishap makes for massive breach.]
OCR's investigation indicated UWM's security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the security rule. But UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.
[Like Healthcare IT News on Facebook]
"All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise," said OCR Director Jocelyn Samuels in a press statement. "An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data."