University of Mississippi Medical Center Agrees to Pay $2.75M to Settle Potential HIPAA Violations | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

University of Mississippi Medical Center Agrees to Pay $2.75M to Settle Potential HIPAA Violations

July 25, 2016
by Heather Landi
| Reprints

The University of Mississippi Medical Center (UMMC) has signed a resolution agreement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) following an investigation of a data breach of unsecured protected health information (ePHI) that occurred in 2013.

As part of the settlement due to multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), UMMC will pay a penalty of $2.75 million and adopt a corrective action plan designed to assure future compliance with HIPAA Privacy, Security and Breach Notification Rules, according to an OCR announcement.

OCR’s investigation of UMMC was triggered by a breach of unsecured ePHI affecting approximately 10,000 individuals. “During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight,” the agency stated in the announcement.

“In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame,” OCR Director Jocelyn Samuels said in a prepared statement. “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.”

University of Mississippi is the state’s sole public academic health science center with education and research functions. In addition it provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the state. Its designated health care component, UMMC, includes University Hospital, the site of the breach in this case, located on the main UMMC campus in Jackson.

On March 21, 2013, OCR was notified of a breach after UMMC’s privacy officer discovered that a password-protected laptop was missing from UMMC’s Medical Intensive Care Unit (MICU). According to HHS OCR, UMMC's investigation concluded that it had likely been stolen by a visitor to the MICU who had inquired about borrowing one of the laptops. OCR’s investigation revealed that ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password. The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008.

OCR also stated that during its investigation into the data breaches the agency found that UMMC failed to implement its policies and procedures to prevent, detect, contain, and correct security violations and failed to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users. In addition, OCR cited UMMC for failing to assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI as well as failing to notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

 

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.

Cedars-Sinai Accelerator Program Presents Fourth Class of Startups

The Cedars-Sinai Accelerator, a program that helps entrepreneurs bring their innovative technology products to market, has brought in nine more health tech startups as part of its fourth class.

DirectTrust Adds Five Board Members

DirectTrust, a nonprofit organization that support health information exchange, announced the appointment of five new executives to its board of directors.

Analysis: Many States Continue to Have Restrictive Telemedicine Policies

State Medicaid programs are evolving to accelerate the adoption of telemedicine models, this evolution is occurring more quickly in some states than others, according to a recent analysis by Manatt Health.