The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced the settlement of the hacking incident at Oklahoma State University. It is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. When the Center for Health Sciences (OSU-CHS) made a HIPAA, the experts confirmed the data breaches and imposed a fine of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules.
OCR Investigation Of Hacking Incident
On January 5, 2018, CR launched a HIPAA investigation after receiving a breach report. It revealed the hacking of an OSU-CHS web server that cause a large data disclosure. According to OSU-CHS, the malware had been installed on the server that allowed the hackers to access the electronically protected health information of 279,865 individuals. In general, the stolen information included names, dates of birth, addresses, Medicaid numbers, healthcare provider names, dates of service, and treatment information. It was exposed and potentially obtained by an unauthorized third party.
The exact date of this data breach is November 7, 2017. However, the hackers first had access to the ePHI of patients 20 months earlier. OSU-CHS initially declared that they could use these records since March 9, 2016. The most important issue is that OSU-CHS had potentially violated a whole raw of the HIPAA Rules. OCR investigators determined impermissible disclosure of the ePHI of 279,865 individuals and failure to conduct a comprehensive and accurate organization-wide risk analysis.
There was also a failure to perform a periodic technical and nontechnical evaluation. These environmental and operational changes affected the security of ePHI as well as the implementation of audit controls. Then the security incident response and reporting failure lead to the problems of timely breach notification to affected individuals and to the Secretary of the HHS. All points are considered to be strict HIPAA violations.
Penalties For Oklahoma State University
OSU-CHS has agreed to pay a penalty and to implement a corrective action plan to resolve all areas of non-compliance identified by OCR. The process will be closely monitored for compliance with the corrective action plan and the HIPAA Rules for two years. The case was settled with no admission of liability or wrongdoing.
HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems. Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.OCR Director Lisa J. Pino.
It is the fifth financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations. There are also the 111th penalty imposed since OCR was given the authority to fine HIPAA-regulated entities for HIPAA violations.