An Idaho Clinic IT Failure Leads To Massive Fine

Weaknesses in your Information Technology (IT) setup may be putting your entire operation at risk. It happens all the time. Digital data breaches are common, devastating, and can go undetected for months. The results can be devastating.

This one goes back to 2013, but the situation, with all its risks, is out there on many servers today, ready to violate patient privacy and cost operators hundreds of thousands of dollars in penalties.

Idaho State University (ISU) agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act  (HIPAA) Security Rule.  The settlement involves the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU’s Pocatello Family Medicine Clinic.

Misconfigured Server Fails To Protect Patient Data

Operating 29 outpatient clinics, ISU isn’t simply responsible for the healthcare of tens of thousands, the teaching institution also maintains the health information technology systems at each location. Many of those systems fall under HIPAA guidelines. Failure to protect the private health information within these computers is violation of federal law.

According to the HHS, IT staff at ISU’s Pocatello clinic failed to enable a server firewall – a setting that protects data from unauthorized access. The error went undetected for 10 months, leading to the potential compromise of 17,500 patients’ private data, which was left unprotected by the server’s engineered security.

Server Security Failure Leads to Poor OCR Assessment

OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.

ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.

“Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said Leon Rodriguez, who was OCR Director at the time.

In addition to the fine, ISU agreed to a comprehensive corrective action plan.

The interactive Risk Analysis in The HIPAA E-Tool® contains everything required by the National Institute of Standards and Technology (NIST) for a complete security risk assessment. It’s the most comprehensive HIPAA compliant Risk Analysis you’ll find. Use it and avoid the Pocatello disaster.

If you’re not 100 percent sure your servers are properly secured, we can help.

Photo by Thomas Jensen on Unsplash

Free HIPAA Checklist
What best describes you?