September 21, 2023
Academic health center pays $875K fine in data breach

Dive Brief:

  • Oklahoma State University Center for Health Services has paid $875,000 to the federal government to settle alleged violations of HIPAA privacy rules. The academic health center also agreed to implement a corrective action plan that includes two years of monitoring.
  • HHS’ Office for Civil Rights investigated potential HIPAA rule violations after the center informed the agency in a 2018 breach report that an unauthorized third party gained access to a web server containing personal health information. The healthcare provider did not admit to liability in the settlement.
  • The hacker installed malware that led to the disclosure of electronic data for nearly 280,000 patients. The breach exposed patient names, Medicaid numbers, healthcare provider names, dates of service, dates of birth and addresses and treatment information, the HHS said.  

Dive Insight:

Cyberattacks on healthcare providers have swelled over the past decade, affecting a record 45 million patients in 2021 alone, triple the number reported just three years earlier, according to one analysis. Medical records are especially appealing to identity thieves hunting for financial data due to the amount of personal information they contain.

The problem shows no signs of abating. A systems breach at imaging and outpatient services provider Shields Health Care Group in March may have exposed the personal data of 2 million patients in New England, the company disclosed. The incident is the largest cyberattack in a string of hacking incidents involving health information so far this year.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased penalties for HIPAA compliance violations and introduced the requirement for reporting data breaches. In its most recent annual report to Congress on health information breaches, HHS said the Office for Civil Rights imposed more than $13 million in financial penalties in 2020, in addition to requiring corrective actions in hundreds of cases.

In its investigation of the hacking breach at the OSU Center for Health Sciences, the Office for Civil Rights found possible HIPAA violations that included impermissible uses and disclosures of private healthcare information; failure to conduct an accurate and thorough risk analysis; failure to perform an evaluation; failures to implement audit controls, security incident response and reporting; and failure to provide timely breach notification to affected individuals and HHS, the agency said.

The OSU center notified HHS of the breach in January 2018, reporting that the incident happened in November 2017. Later, the provider said that patient data was first compromised in March 2016, according to HHS.