This past summer, multiple HIPAA OCR settlements were reached. Each of the settlements are explained in this two-part blog series:

University of Mississippi Medical Center
The University of Mississippi Medical Center (UMMC) recently agreed to a $2.75 million settlement after multiple reports of alleged HIPAA violations that eventually led to a healthcare data breach affecting 10,000 individuals. After reviewing the incident, the OCR determined that UMMC was not taking adequate risk management security measures even after becoming aware of certain risks and vulnerabilities to its system. Specifically, a UMMC privacy officer leaned that a password protect laptop was missing from the intensive care unit and most likely had been stolen by a visitor.

The OCR found that “ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password. OCR also found that UMMC had not implemented physical safeguards for all workstations and did not implement policies and procedures intended to prevent, detect, contain, and correct security violations.

Oregon Health and Science University
This past summer, Oregon Health and Science University (OHSU) agreed to a $2.7 million settlement following two health data breaches in 2013. OHSU submitted multiple breach reports to OCR including two reports with unencrypted laptops and a stolen unencrypted thumb drive. These breaches affected thousands of individuals.

OCR also found that OHSU had used Google Mail and Google Drive which have security features in place such as password protection, however, Google was not an official business associate and there was no contractual agreement in place to use or store OHSU patient health information.