Oklahoma State University Settles HIPAA Investigation and Pays $875,000 Penalty

An investigation conducted by the HHS’ Office for Civil Rights (OCR) of a hacking incident at Oklahoma State University Center for Health Sciences (OSU-CHS) uncovered multiple violations of the HIPAA Rules. The case has been settled and OSU-CHS will pay a $875,000 financial penalty. OSU-CHS has also agreed to implement a robust corrective action plan to address the areas of noncompliance identified by OCR, and OCR will closely monitor OSU-CHS for 2 years.

Like so many other reported healthcare data breaches, the incident involved unauthorized individuals accessing a web server that contained the electronic protected health information (ePHI) of patients. The security breach was reported to OCR on January 5, 2018, as affecting 279,865 individuals. According to the notification, the data breach occurred on November 7, 2017; However, OSU-CHS later reported that the breach had occurred on March 9, 2016.

OCR investigates all reported data breaches involving the records of 500 or more individuals and seeks to establish whether the breached entity was compliant with the HIPAA Rules. OCR’s investigation identified seven different provisions of the HIPAA Rules that had potentially been violated.

  • F.R. § 164.308(a)(l)(ii)(A) – Risk analysis
  • 45 C.F.R. 164.308(a)(8) – Evaluation after changes that could affect the security of ePHI
  • 45 C.F.R. § 164.312(b) – Audit controls
  • 45 C.F.R. § 164.308(a)(6)(ii) – Security incident response and reporting
  • 45 C.F.R. § 164.404 – Timely breach notifications to affected individuals
  • 45 C.F.R. § 164.408 – Timely breach notification to the HHS
  • 45 C.F.R. § 164.502(a) – An impermissible disclosure of the ePHI of 279,865 individuals

Like in so many other OCR enforcement actions, OSU-CHS was found not to have conducted a comprehensive, accurate, organization-wide risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. When there is any environmental or operational change that has the potential to affect the security of ePHI, a technical and nontechnical evaluation must be performed. HIPAA-regulated entities are required to implement audit controls that examine and record activity in information systems that contain ePHI. HIPAA-regulated entities must identify and respond to suspected or known security incidents and mitigate harmful effects. Breach notifications must be issued to the HHS and affected individuals within 60 days of the discovery of a data breach.

These compliance failures were determined to be individually and collectively severe enough to warrant a financial penalty. OSU-CHS agreed to settle the case with no admission of liability.

“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”