HIPAA Horror Stories

The Great Pocatello IT Disaster

one-minute read

An Idaho Clinic IT Failure Leads To Massive Fine

Weaknesses in your Information Technology (IT) setup may be putting your entire operation at risk. It happens all the time. Digital data breaches are common, devastating, and can go undetected for months. The results can be devastating.

This one goes back to 2013, but the situation, with all its risks, is out there on many servers today, ready to violate patient privacy and cost operators hundreds of thousands of dollars in penalties.

Idaho State University (ISU) agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act  (HIPAA) Security Rule.  The settlement involves the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU’s Pocatello Family Medicine Clinic.

Misconfigured Server Fails To Protect Patient Data

Operating 29 outpatient clinics, ISU isn’t simply responsible for the healthcare of tens of thousands, the teaching institution also maintains the health information technology systems at each location. Many of those systems fall under HIPAA guidelines. Failure to protect the private health information within these computers is violation of federal law.

According to the HHS, IT staff at ISU’s Pocatello clinic failed to enable a server firewall – a setting that protects data from unauthorized access. The error went undetected for 10 months, leading to the potential compromise of 17,500 patients’ private data, which was left unprotected by the server’s engineered security.

Server Security Failure Leads to Poor OCR Assessment

OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.

ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.

“Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said Leon Rodriguez, who was OCR Director at the time.

In addition to the fine, ISU agreed to a comprehensive corrective action plan.

The interactive Risk Analysis in The HIPAA E-Tool® contains everything required by the National Institute of Standards and Technology (NIST) for a complete security risk assessment. It’s the most comprehensive HIPAA compliant Risk Analysis you’ll find. Use it and avoid the Pocatello disaster.

If you’re not 100 percent sure your servers are properly secured, we can help.

Photo by Thomas Jensen on Unsplash

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free