Oregon Health and Science University (OHSU) has reached a settlement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for $2.7 million. The HIPAA settlement comes after two separate data breaches were reported to OCR dating back to 2013. Combined, these breaches affected more than 7,000 patients.
The first breach was caused by a laptop theft. A surgeon was vacationing in Hawaii in February of 2013 when the laptop was stolen out of their home. The device was unencrypted and contained the PHI of 4,022 patients.
The second breach occurred in July of 2013. OHSU alerted 3,044 patients that their PHI had been compromised by residents and physicians-in-training who had been using a Google-based cloud storage service to store PHI without a legally mandated business associate agreement (BAA) in place first. Any time health data is stored by a cloud or physical storage service, covered entities–such as OHSU–are legally obligated by the Omnibus Rule to execute BAAs with those services.
OHSU has experienced four meaningful breaches of protected health information (PHI) affecting more than 500 individuals since 2009 alone, including these two.
Back in June of 2009, another unencrypted laptop was stolen containing the PHI of around 1,000 patients. And in July of 2012 an unencrypted thumb drive containing the PHI of 14,000 patients was stolen as well.
“OHSU’s repeated offenses are a perfect example of why OCR has stepped up their enforcement efforts for HIPAA violations so much over the past two years,” says Marc Haskelson, President and CEO of Compliancy Group. “Examples like these demonstrate why this kind of chronic non-compliance poses such a threat to healthcare organizations around the country. OCR has finally started to catch on to these offenders and enforcement is only going to become more severe in the months ahead.”
OHSU released a statement following the HIPAA settlement where CIO, Bridget Barnes, promised “significant data security enhancements” to better protect PHI. With such serious breaches behind it, the organization will be hard pressed to overcome the reputational damage that these lapses in compliance represent. All breaches affecting more than 500 individuals are publicly listed on the HHS Breach Portal, posing a concrete (and fully searchable) consequence to any OCR investigation, including these.
Having an effective HIPAA compliance program is becoming the only way for organizations to protect their business from breaches and fines. And with enforcement trends ramping up, non-compliance exposes healthcare professionals to serious security risks and lasting reputational harm.
