Oklahoma State University's Center for Health Science paid a $875,000 penalty for HIPAA violations following a 2018 data breach. ("Cash Money (part two)" by jtyerse is licensed under CC BY-NC-ND 2.0.)

The Oklahoma State University - Center for Health Sciences paid the Department of Health and Human Services Office for Civil Rights a $875,000 civil monetary penalty to resolve possible violations of the Health Insurance Portability and Accountability Act, following a 2018 healthcare data breach.

OSU-CHS has also agreed to a corrective action plan to bolster its security management, policies, and procedures.

OCR launched an audit into the preventive, rehabilitative, and diagnostic care provider after it reported a breach of protected health information on Jan. 5, 2018. The incident was caused by a threat actor gaining access to a web server used by its workforce to store certain PHI. The actor then installed malware, which exposed the data of 279,865 patients.

The compromised data included names, dates of birth, contact details, treatments, Medicaid numbers, healthcare provider names, and dates of service.

OSU-CHS first discovered the incident on Nov. 7, 2017, and failed to report it to HHS or the impacted individuals until over 30 days after the 60-day HIPAA requirement. An analysis found the server hack began on March 9, 2016.

“At the time of the 2016 incident, OSU-CHS reported that it was not aware that there was electronic PHI stored on that server,” according to the OCR report. The investigation revealed several other HIPAA violations, including failure to conduct an accurate risk analysis, a lack of implemented audit controls and incident response plan or reporting, and a failure to provide timely notification.

“HIPAA covered entities are vulnerable to cyberattackers if they fail to understand where ePHI is stored in their information systems,” OCR Director Lisa J. Pino said in a statement. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing” all HIPAA requirements.

PHI risk analysis included in OSU-CHS corrective action plan

In addition to the monetary penalty, OSU-CHS must adhere to a corrective action plan that requires the provider to conduct an enterprise-wide risk analysis of the security threats and vulnerabilities with potential risks to all PHI it creates, receives, maintains or shares.

The analysis must include all electronic media, workstations, or IT systems employed by OSU-CHS to manage health data, as well as all of its healthcare components. The provider can conduct the assessment using internal resources or through a third-party vendor.

The information gathered during the assessment must be used to develop a risk management plan able to address and mitigate determined security threats and vulnerabilities, which must then be forwarded to HHS for review and approval within 90 days.

The corrective action plan also mandates that OSU-CHS develop and maintain its written HIPAA policies and procedures for governing the privacy and security of PHI, which must address all identified threats and vulnerabilities. The provider must also ensure its policies comply with the breach notification rule to “address the issue of timely notification.”

All of the update policies and procedures must be distributed to any workforce members who interact with PHI. OSU-CHS must also retrain employees on relevant HIPAA privacy and security policies.

Lastly, OSU-CHS is required to designate an independent monitor to review compliance with the corrective action plan, who must have expertise with HIPAA compliance. The monitor will be responsible for addressing and analyzing the provider’s compliance with the corrective action plan, as well as overseeing the conducted risk assessments and collecting data to ensure compliance.