For the first time, a medical services provider will have to pay a “neglect” settlement over Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations that led to a data breach.
Anchorage Community Mental Health Services (ACMHS) must pay $150,000 and integrate an action plan to meet HIPAA compliance after the organization had more than 2,700 individuals’ electronic health information compromised in a cyber attack, according to a bulletin on the settlement.
According to the bulletin, ACMHS informed the Office for Civil Rights (OCR) about its breach in March 2012, at which point the OCR opened an investigation into the group’s HIPAA compliance and found that the medical organization violated the “Security Rule.”
The HIPAA Security Rule requires entities who handle electronic protected health information to regularly patch systems and update their IT infrastructure. Although ACMHS had adopted the sample Security Rule policies and procedures in 2005, they were never followed. This lack of patching of IT security systems allowed malware to breach the medical organization’s systems, and, the bulletin says, prompted the settlement.
As the first major neglect settlement for violations against the Security Rule, ACMHS’ case should serve as a wake-up call to healthcare providers, said Rob Juncker, vice president of Research and Development, LANDESK, in a Wednesday interview with SCMagazine.com.
“[IT security professionals] better make sure that they’re patching and doing best practices and paying attention to anything in their network that could be considered negligence,” he said.
Many health care providers will have major hurdles to overcome when truly securing their endpoints, Juncker said. For instance, it’s common to see Windows XP, which is now out-of-support, being used. This could be a violation within itself, Juncker said.
It’s no surprise health records make for lucrative goods, as they can fetch anywhere from $10 to $20 per file, so now’s the time to ask for support to add team members and beef up security resources, Juncker said.
“Rulings like this are when you have to bring [your thoughts] to the CISOs and make sure they allocate the proper amount of help to ensure proper compliance,” he said.