Idaho State University to pay HHS $400K after investigation reveals shoddy security

Share this article:

Idaho State University (ISU)  this week settled (PDF) with the U.S. Department of Health and Human Services (HHS) for $400,000 in the wake of a data breach that exposed the personal information of 17,500 patients.

Reported in August 2011, the incident at Pocatello Family Medical Clinic happened because of a disabled firewall maintained by the university, which oversees 29 outpatient clinics, according to HHS. About six of those clinics must follow Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy rules, while the others aren't considered "covered entities," likely because of reasons such as they don't conduct electronic billing, an HHS spokeswoman told on Thursday.

As with other HIPAA-related settlements, ISU was not fined over the breach, but due to inadequate security HHS observed in an investigation that resulted from the breach. HHS reviewed the university's compliance from April 1, 2007 to Nov. 26, 2012 and determined that it failed to perform a risk analysis of its confidential electronic patient information, failed to implement measures to reduce risks and vulnerabilities and failed to regularly review its records to determine if they'd been exposed.

Under the settlement, announced Tuesday, ISU did not admit violating HIPAA Security and Privacy rules, nor was the settlement an admission of liability. 

In addition to the payment it agreed to make to HHS, the university must implement a "comprehensive corrective action plan" to address the shortfalls raised by the investigation.

Share this article:

Next Article in News

Sign up to our newsletters

More in News

Hackers target video game companies to lift copy protections and develop cheats

A threat group is targeting video game companies in order to lift DRM protections, develop cheats and possibly to steal source code.

Android malware spreads via mail tracking SMS spam

The mobile malware is currently targeting German users, McAfee revealed.

About 2,800 victims of worldwide info-stealing campaign targeting various sectors

About 2,800 victims of worldwide info-stealing campaign targeting ...

Unknown attackers have claimed about 2,800 victims in an ongoing information-stealing campaign identified by Kaspersky Lab as "Crouching Yeti."