Idaho State University to pay HHS $400K after investigation reveals shoddy security

Share this article:

Idaho State University (ISU)  this week settled (PDF) with the U.S. Department of Health and Human Services (HHS) for $400,000 in the wake of a data breach that exposed the personal information of 17,500 patients.

Reported in August 2011, the incident at Pocatello Family Medical Clinic happened because of a disabled firewall maintained by the university, which oversees 29 outpatient clinics, according to HHS. About six of those clinics must follow Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy rules, while the others aren't considered "covered entities," likely because of reasons such as they don't conduct electronic billing, an HHS spokeswoman told on Thursday.

As with other HIPAA-related settlements, ISU was not fined over the breach, but due to inadequate security HHS observed in an investigation that resulted from the breach. HHS reviewed the university's compliance from April 1, 2007 to Nov. 26, 2012 and determined that it failed to perform a risk analysis of its confidential electronic patient information, failed to implement measures to reduce risks and vulnerabilities and failed to regularly review its records to determine if they'd been exposed.

Under the settlement, announced Tuesday, ISU did not admit violating HIPAA Security and Privacy rules, nor was the settlement an admission of liability. 

In addition to the payment it agreed to make to HHS, the university must implement a "comprehensive corrective action plan" to address the shortfalls raised by the investigation.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.