University Medical Center’s Delayed Disclosure of HIPAA Hacking Breach Results in $875,000 Settlement

The Office of Civil Rights (OCR), a division of the U.S. Department of Health and Human Services (HHS), has reached an $875,000 settlement and an extensive corrective action plan (CAP) with a university medical center concerning its violation of HIPAA’s privacy, security, and breach notification rules. Hacking a medical center web server, containing protected health information (PHI) by an unknown third party, led to the disclosure of PHI for more than 275,000 individuals.

The medical center filed the breach report in November 2017. The center later reported that the hacking incident had occurred in March 2016, and the center had become aware of it in September 2017. The center did not report the breach because it did not realize that PHI was stored on the compromised server. Following its investigation, OCR determined that the center had allowed unauthorized disclosures of PHI, failed to implement sufficient response and reporting protocols for security incidents, and neglected to conduct adequate risk analyses or evaluations. OCR also noted that the medical center had declined to adopt adequate audit controls and failed to provide timely breach notification to individuals and HHS.

As a result of the settlement, the medical center is also subject to a CAP, which involves various provisions, including the following:

  • Complete a risk analysis and management plan that OCR must review and approve;
  • Revise its privacy, security, and breach notification policies according to the plan within 30 days of the date of OCR’s approval;
  • Incorporate the revised policies into proposed training materials for approval by OCR;
  • Once approved, include them in training sessions for all employees;
  • Train new employees within 15 days of starting work;
  • Engage an independent monitor to analyze and assist with CAP compliance, subject to OCR approval; and
  • Submit periodic compliance reports to OCR concerning the CAP for two years.

HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and HR/employment needs. We help ensure you are in compliance with the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 470-571-1007.

The following two tabs change content below.

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)