The Alaska Department of Health and Social Services (DHSS) will shell out $1.7 million to settle violations of the HIPAA Security Rule.
The Oct. 12, 2009 breach occurred when thieves stole a portable USB hard drive containing the personal information of 501 state Medicaid beneficiaries. So-called covered health care entities must report any breach of protected health information (PHI) affecting 500 or more people to the U.S. Department of Health and Human Services' Office for Civil Rights (OCR).
In this case, the hefty settlement price tag was not based on the number of victims, but by the Alaska agency's apparently shoddy information security practices it had in place. Health care security regulators said that based on an investigation, which included an on-site visit, DHSS failed to conduct a risk analysis, deploy adequate risk management practices, complete security awareness training of its employees or implement measures to control and secure its devices.
"The enforcement action does not specifically focus on the stolen portable electronic device, but rather the findings of the investigation," Rachel Seeger, an OCR spokeswoman, told SCMagazine.com on Wednesday
This marked OCR's first HIPAA enforcement action against a state agency. Sarana Schell, an Alaska DHSS spokeswoman, told SCMagazine.com on Thursday that her department had implemented a risk management plan in 2007, but it was not deemed current when the investigation took place. In addition, she said the agency was in the process of encrypting all of its mobile devices when the drive was stolen.
In the end, Alaska DHSS does not believe any fraud resulted from the breach.
The OCR launched a breach notification website in February 2010 as a requirement of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a bill that promotes the use of health information technology. HITECH, passed as part of the 2009 economic stimulus bill, is intended to strengthen the protection of identifiable health information by expanding the scope of HIPAA, short for the Health Insurance Portability and Accountability Act.
Seeger said HITECH instituted a formalized, tiered system for penalties, with investigated entities facing up to $50,000 per violation.
Alaska DHAA also agreed to a corrective action plan as part of the settlement.
[An earlier version of this story incorrectly stated that the stolen device was a USB stick, when it was actually a hard drive].