Idaho State University to pay HHS $400K after investigation reveals shoddy security
Idaho State University (ISU) this week settled (PDF) with the U.S. Department of Health and Human Services (HHS) for $400,000 in the wake of a data breach that exposed the personal information of 17,500 patients.
Reported in August 2011, the incident at Pocatello Family Medical Clinic happened because of a disabled firewall maintained by the university, which oversees 29 outpatient clinics, according to HHS. About six of those clinics must follow Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy rules, while the others aren't considered "covered entities," likely because of reasons such as they don't conduct electronic billing, an HHS spokeswoman told SCMagazine.com on Thursday.
As with other HIPAA-related settlements, ISU was not fined over the breach, but due to inadequate security HHS observed in an investigation that resulted from the breach. HHS reviewed the university's compliance from April 1, 2007 to Nov. 26, 2012 and determined that it failed to perform a risk analysis of its confidential electronic patient information, failed to implement measures to reduce risks and vulnerabilities and failed to regularly review its records to determine if they'd been exposed.
Under the settlement, announced Tuesday, ISU did not admit violating HIPAA Security and Privacy rules, nor was the settlement an admission of liability.
In addition to the payment it agreed to make to HHS, the university must implement a "comprehensive corrective action plan" to address the shortfalls raised by the investigation.