The Department of Health and Human Services recently issued a $150,000 fine to Anchorage Community Mental Health Services (ACMHS) for HIPAA security violations. What's noteworthy about this fine is that the covered entity did not keep up with security patches and ran outdated, unsupported software on its network.
The HHS Office of Civil Rights OCR opened an investigation back in 2012 after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI). They reported 2,743 individuals had been affected due to malware compromising the security of its information technology resources.
HHS has a database you can search for any breach that affects more than 500 individuals so we checked there to see if we could find more information on this breach. We discovered the breach date ran for 15 days from 20 December 2011 until 4 Jan 2012. We also found out a single desktop computer was infected with malware. This leads me to believe the malware infection occurred either via email or from browsing a malware site. Quite possibly both occurred: a user got a forged email, they clicked a link, got directed to a malware site and then either malware was instantly installed in the background or they mistakenly entered their login information.
As it often happens, once the OCR began its investigation, they found other HIPAA compliance violations. In this case, they found that while ACMHS had adopted sample Security Rule policies and procedures in 2005, they were not followed. In addition, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software. If I had to make an educated guess, it sounds like the infected desktop was running Windows XP, it had an outdated version of Internet Explorer and it was immediately compromised once the user used it to mistakenly visit a malware site.
Related Article: HIPAA Privacy Violations Include Stolen Office Computers In addition to the $150,000 settlement, Anchorage Community Mental Health Services will also be required to implement a corrective action plan and report to OCR on its compliance program for two years.
Did you know HHS offers a free HIPAA Security Risk Assessment Tool? The tool is available here and you can use it to conduct reviews of the the administrative, physical and technical safeguards you have in place for HIPAA compliance.
Related Article: HIPAA Violations Outpace Oil, Congress and Dow Jones