Malware Infection Results in a $650,000 Settlement

Malware Infection Results in a $650,000 Settlement

Just recently it was announced that a potential HIPAA Privacy Rule and Security Rules violation lead a major organization to pay a sustainable fee, $650,000. The breach was reported to the U.S. Department of Health and Human Service (HHS), Office for Civil Rights (OCR), stating one of their workstations was infected with a malware program which resulted in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes.

Specifically, OCR determined the organization potentially violated the following HIPAA Rules:

  • The organization had failed to designate all of its health care components when hybridizing, incorrectly determining that while the Health Services was a covered health care component, other components, including the Center where the breach of ePHI occurred, were not covered components. Because the company failed to designate the Center a health care component, certain procedures were not implemented correctly to ensure compliance with the HIPAA Privacy and Security Rules.
  • The organization failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the Center.
  • The organization did not conduct an accurate and thorough risk analysis until September 2015.

A settlement was agreed upon with the organization that included a corrective action plan and a monetary settlement of $650,000 and according to OCR, the settlement amount is "reflective of the fact that the organization operated at a financial loss in 2015."

According to OCR Director Jocelyn Samuels, "HIPAA's security requirements are an important tool for protecting both patient data and business operations against threats such as malware."

Did you know?

"Procedures for guarding against, detecting, and reporting malicious software" is an addressable implementation specification under the HIPAA Security Rule. This is covered in Healthcare Compliance Pros HIPAA Security module.

If you have any questions please do not hesitate to contact us by phone: 855-427-0427 or by email: [email protected]