The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has levied a $2.75 million fine against the University of Mississippi Medical Center (UMMC) after uncovering a
OCR began its investigation of the hospital after UMMC reported a laptop theft in 2013. The laptop was password protected, but unencrypted.
According to OCR, the electronic protected health information (ePHI) stored on one of the device’s network drives “was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password.” The directory housed “328 files containing the ePHI of an estimated 10,000 patients dating back to 2008.”
Over the course of its investigation, OCR determined that UMMC had been aware of failings in its data privacy and security measures since April 2005, at least. The organization chose not to address these gaps until the laptop was stolen in 2013.
UMMC’s negligence to address their security infrastructure was made worse by the fact that the organization accepted OCR’s proposed resolution agreement, but would not admit liability to the breach. OCR has made it clear that negligence to safeguard PHI is one of the chief measures that it uses when considering fines to levy against HIPAA violators.
A representative from UMMC stated that “we have learned from this experience and are working hard to ensure that our information security program meets or exceeds the highest standard.”
The University of Mississippi Medical Center is the second university-affiliate this month to receive a fine greater than $2 million. The other was Oregon Health and Science University, which was fined $2.7 million for repeated HIPAA violations–one of which was the result of an unencrypted laptop being stolen.
Thefts are generally outside of an organization’s control. But when an organization neglects to address mandatory security standards, OCR auditors levy fines that are significantly more severe than they would otherwise. The fine schedule for HIPAA violations ranges from $100-$50,000 per incident, with the penalties getting worse depending on the level of negligence that investigators uncover.
The UMMC investigation speaks to exactly why a total compliance plan is essential to health care organizations across the country. The chances of losing a laptop or smartphone are roughly 43% according to a study done by ISACA. Organizations need to consider that, with the proliferation of mobile devices being used to store ePHI, the chances of one of those devices going missing is significant.
The only way to protect patients’ data and the reputation of your practice or organization is to have a total compliance solution that addresses the full extent of federal HIPAA regulation.