Background of Oklahoma State University HIPAA Breach
Hackers first gained access to a web server containing the electronic protected health information (ePHI) of as many as 279,865 individuals on March 9, 2016. The information accessed included patient names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information.
The university announced the HIPAA breach on January 5, 2018. At that time, it was believed that the incident started in November 2017, but later forensic analysis revealed the earlier breach date.
OCR Findings of Oklahoma State University HIPAA Breach
The HIPAA breach investigation by the Department of Health and Human Services’ Office for Civil Rights (OCR) found potential violations of the HIPAA Rules, including:
- impermissible uses and disclosures of PHI
- failure to conduct an accurate and thorough risk analysis
- failure to perform an evaluation
- failure to implement audit controls, security incident response and reporting
- failure to provide timely breach notification to affected individuals and HHS
Oklahoma State University HIPAA Breach Fine and Additional Consequences
This is the first settlement or fine announced by HHS since March 2022. In addition to the $875,000 HIPAA breach fine, the university agreed to implement a corrective action plan that includes two years of monitoring and oversight.
A copy of the resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/osu-ra-cap/index.html.
HHS Press Release