Phishing Email Leads to $750,000 OCR HIPAA Settlement
In a press release dated December 14, 2015 U.S. Department of Health and Human Services Office for Civil Rights announced a settlement with the University of Washington (UWM) for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
In November of 2013, OCR initiated an investigation of the UWM following receipt of a breach report of approximately 90,000 individuals electronic protected health information (e-PHI) was accessed after an employee opened an email attachment that contained malware. The malware compromised the organization's IT infrastructure stealing patient information, such as names, date of births, social security numbers, medical record numbers, billing information, etc.
OCR further states:
“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said OCR Director Jocelyn Samuels. “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”
This latest Office of Civil Rights (OCR) settlement is yet another example of why risk assessments span the entire organization and not just electronic medical records alone. It is important to get a full security risk assessment done correctly. From a risk perspective, the cost of failure can be astronomical to small and medium-size medical practices.
If you have not had a security risk assessment completed this year or have questions regarding our HIPAA Security Risk Analysis Services, please reach out us. Call us at (866)900-4236 or visit our Contact Us page.