Idaho State University to pay HHS $400K after investigation reveals shoddy security

Share this article:

Idaho State University (ISU)  this week settled (PDF) with the U.S. Department of Health and Human Services (HHS) for $400,000 in the wake of a data breach that exposed the personal information of 17,500 patients.

Reported in August 2011, the incident at Pocatello Family Medical Clinic happened because of a disabled firewall maintained by the university, which oversees 29 outpatient clinics, according to HHS. About six of those clinics must follow Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy rules, while the others aren't considered "covered entities," likely because of reasons such as they don't conduct electronic billing, an HHS spokeswoman told on Thursday.

As with other HIPAA-related settlements, ISU was not fined over the breach, but due to inadequate security HHS observed in an investigation that resulted from the breach. HHS reviewed the university's compliance from April 1, 2007 to Nov. 26, 2012 and determined that it failed to perform a risk analysis of its confidential electronic patient information, failed to implement measures to reduce risks and vulnerabilities and failed to regularly review its records to determine if they'd been exposed.

Under the settlement, announced Tuesday, ISU did not admit violating HIPAA Security and Privacy rules, nor was the settlement an admission of liability. 

In addition to the payment it agreed to make to HHS, the university must implement a "comprehensive corrective action plan" to address the shortfalls raised by the investigation.

Share this article:

Next Article in News

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.