Privacy & Security

University of Washington Medicine pays $750,000 over security lapses tied to 2013 breach

Electronic health info on about 90,000 individuals was accessed after an employee downloaded an email attachment with malware.
By Bernie Monegain
December 15, 2015
10:18 AM

The University of Washington Medicine will spend $750,000 to settle charges that it potentially violated the HIPAA Security Rule by failing to implement policies and procedures to prevent, detect, contain and correct security violations.

The HHS Office for Civil Rights, which is charged with upholding the HIPAA Privacy Rule, announced the terms of the settlement on December 14.

Specifically, OCR spotlighted insufficient risk analysis at UWM.

The primary teaching hospital of the University of Washington School of Medicine, UWM is an affiliated covered entity under HIPAA. As such, it must have in place appropriate policies and processes to assure HIPAA compliance with respect to each of the entities that are part of the affiliated group.

Besides paying a $750,000 settlement, UWM also agreed to a corrective action plan, and annual reports on the organization's compliance efforts.

[See also: Lahey pays $850K for 'widespread' HIPAA non-compliance.]

OCR initiated its investigation of UWM following receipt of a breach report on Nov. 27, 2013, which indicated that the electronic protected health information of about 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization's IT system, affecting the data of two groups of patients: About 76,000 patients involving a combination of patient names, medical record numbers, dates of service and/or charges or bill balances and about 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, social security numbers, insurance identification or Medicare numbers.

[See also: Malware mishap makes for massive breach.]

OCR's investigation indicated UWM's security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the security rule. But UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.

[Like Healthcare IT News on Facebook]

"All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise," said OCR Director Jocelyn Samuels in a press statement. "An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data."

Twitter: @HealthITNews

Topics: 
Privacy & Security, Compliance & Legal

More regional news

Clinician in scrubs at a hospital computer

CommonSpirit partners up with U of U for clinical collaboration

By
Andrea Fox
November 22, 2024
Stethoscope on an iPad

HIMSSCast: Care provider or tool? When and why patients like AI

By
Andrea Fox
November 22, 2024

EHR tips on migrating an all-digital hospital to Epic

By
Bill Siwicki
November 22, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story
EHR tips on migrating an all-digital hospital to Epic

Most Read

What Loper Bright and the end of Chevron deference mean for HHS
Particle Health files antitrust suit against Epic
Choosing a managed IT service for aged care
ASTP intros 2024 draft Federal FHIR Action Plan
CrowdStrike all but assures Capitol Hill: Never again
Korea's largest hospital bags APAC's first Stage 6 of new INFRAM

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

David Miles at Oklahoma Heart Hospital_Part 2_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
Switching from Cerner to Epic? Meet a CIO who made it out alive
David Miles at Oklahoma Heart Hospital_Part 1_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
The CIO of an all-digital hospital walks readers through its successes
Dr Alice Sutedjo Lisa at SMC Telogorejo Hospital_HIMSS24 APAC
Assisting the elderly in digital care
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive

More Stories

Agency cybersecurity infosec illustrated by many colored streams harnessed by a lock
OIG again deems HHS' infosec program ineffective
Joanna Lucas, RN, of St. Luke's University Health Network
Case and referral management technology gets big results for St. Luke's
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive
Northwestern Medicine
Northwestern Medicine announces international healthcare collaboration
BJ Schaknowski of symplr
Too many IT systems with limited alignment impacts care quality
Doctor in scrubs using computer
Tenet to deploy AI platform across its physician network
Healthcare CIO with other healthcare executives
Health system CIOs' strategic responsibilities continue to evolve
George Pappas at Intraprise Health_Digital shield and lock Photo by da-kuk/Getty Images
Tighter cyber mandates hold New York providers to higher security standards