Idaho State University to pay HHS $400K after investigation reveals shoddy security

Share this article:

Idaho State University (ISU)  this week settled (PDF) with the U.S. Department of Health and Human Services (HHS) for $400,000 in the wake of a data breach that exposed the personal information of 17,500 patients.

Reported in August 2011, the incident at Pocatello Family Medical Clinic happened because of a disabled firewall maintained by the university, which oversees 29 outpatient clinics, according to HHS. About six of those clinics must follow Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy rules, while the others aren't considered "covered entities," likely because of reasons such as they don't conduct electronic billing, an HHS spokeswoman told SCMagazine.com on Thursday.

As with other HIPAA-related settlements, ISU was not fined over the breach, but due to inadequate security HHS observed in an investigation that resulted from the breach. HHS reviewed the university's compliance from April 1, 2007 to Nov. 26, 2012 and determined that it failed to perform a risk analysis of its confidential electronic patient information, failed to implement measures to reduce risks and vulnerabilities and failed to regularly review its records to determine if they'd been exposed.

Under the settlement, announced Tuesday, ISU did not admit violating HIPAA Security and Privacy rules, nor was the settlement an admission of liability. 

In addition to the payment it agreed to make to HHS, the university must implement a "comprehensive corrective action plan" to address the shortfalls raised by the investigation.

Share this article:
close

Next Article in News

Sign up to our newsletters

More in News

POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

POS malware risks millions of payment cards for ...

An investigation dating back to January has finally confirmed that malware on point-of-sale systems may have compromised payment card data for millions of Michaels Stores and Aaron Brothers customers.

Phishing scam targets Michigan public schools

Unknown attackers used the finance director's email account to request wire transfers from the school district's accounting department.

Contempt order against Lavabit still stands, appeals court rules

Contempt order against Lavabit still stands, appeals court ...

A federal appeals court backed an earlier ruling penalizing the email service.