Privacy & Security

University of Washington Medicine pays $750,000 over security lapses tied to 2013 breach

Electronic health info on about 90,000 individuals was accessed after an employee downloaded an email attachment with malware.
By Bernie Monegain
December 15, 2015
10:18 AM

The University of Washington Medicine will spend $750,000 to settle charges that it potentially violated the HIPAA Security Rule by failing to implement policies and procedures to prevent, detect, contain and correct security violations.

The HHS Office for Civil Rights, which is charged with upholding the HIPAA Privacy Rule, announced the terms of the settlement on December 14.

Specifically, OCR spotlighted insufficient risk analysis at UWM.

The primary teaching hospital of the University of Washington School of Medicine, UWM is an affiliated covered entity under HIPAA. As such, it must have in place appropriate policies and processes to assure HIPAA compliance with respect to each of the entities that are part of the affiliated group.

Besides paying a $750,000 settlement, UWM also agreed to a corrective action plan, and annual reports on the organization's compliance efforts.

[See also: Lahey pays $850K for 'widespread' HIPAA non-compliance.]

OCR initiated its investigation of UWM following receipt of a breach report on Nov. 27, 2013, which indicated that the electronic protected health information of about 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization's IT system, affecting the data of two groups of patients: About 76,000 patients involving a combination of patient names, medical record numbers, dates of service and/or charges or bill balances and about 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, social security numbers, insurance identification or Medicare numbers.

[See also: Malware mishap makes for massive breach.]

OCR's investigation indicated UWM's security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the security rule. But UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.

[Like Healthcare IT News on Facebook]

"All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise," said OCR Director Jocelyn Samuels in a press statement. "An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data."

Twitter: @HealthITNews

Topics: 
Privacy & Security, Compliance & Legal

More regional news

HIT professional reviews information on a laptop outside a server room

ASPR seeks feedback on public health orgs' cybersecurity needs

By
Andrea Fox
November 13, 2024
Gabriel Jones of Proprio on AI

Artificial intelligence is enabling big advances in surgery

By
Bill Siwicki
November 13, 2024
Pharmacist sorting pills

Deploy RFID technologies to streamline controlled substance management

November 13, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Gabriel Jones of Proprio on AI
AI & ML Intelligence
Artificial intelligence is enabling big advances in surgery

Most Read

The Light Collective amplifies its call for patient data rights
Atrium Health responds to new social engineering attack
Vendor Notebook: New cybersecurity and EHR performance upgrades 
Texas AG settles with clinical genAI company
What Loper Bright and the end of Chevron deference mean for HHS
Particle Health files antitrust suit against Epic

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Mike Relli at Knight Consulting_Global Health Equity Week 2024
New approaches to improving healthcare access for justice-impacted individuals
Jill Brewer at HIMSS_Healthcare Cybersecurity Forum 2024
What's the weakest link in organizational cybersecurity? Not what you might think
Richard Staynings at the University of Denver_Healthcare Cybersecurity Forum 2024
The challenges of safeguarding healthcare's 'data ocean'
Marjorie Rosen at HIMSS_Global Health Equity Week 2024
HIMSS chapters offer a powerful channel for healthcare advocacy

More Stories

Morgan L. Waller, RN, of Children's Mercy Kansas City on telemedicine
Deep dive: Exploring one of the most advanced telemedicine programs in the U.S.
Person on laptop at kitchen table with another who holds up prescription bottle for telehealth doctor
ATA calls on Congress to beat the telehealth deadline, as it preps for Trump's term
Anurag Mehta at Omega Healthcare_Physician working on laptop Photo by Dzonsli/E+/Getty Images
Clinician burnout can be reduced by virtual nursing
Healthcare worker and patient watching doctor on screen
Discover the potential ROI of bedside telehealth
HKUST Provost professor Guo Yike presenting their new health LLMs
Hong Kong university to test four genAI models in...
A doctor in a virtual consultation with a patient
China to pilot standards for virtual primary care
A doctor reviewing a patient's file on a desktop computer
Monash's clinical AI collab with India's...
Healthcare worker looking at medical record on tablet with patient in background
Protect your IoMT devices against evolving cyberattacks