In March 2012, ACMHS reported a security breach to OCR in which the hospital said the protected health information of 2,743 people had been compromised due to malware that threatened the security of its IT resources.
Upon further investigation, the OCR found ACMHS had adopted sample Security Rule policies and procedures in 2005, but they were not followed. Additionally, OCR determined ACMHS failed to identify and address basic security risks, such as not regularly updating their IT resources and running outdated software.
In addition to the $150,000 settlement, ACMHS will implement a corrective action plan and will report on the state of its compliance for the next two years.
“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” said Jocelyn Samuels, director of the OCR. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
More articles on HIPAA:
AMIA calls for HIPAA amendments to allow researchers to access data
Teaching the Internet to whisper: The evolution of HIPAA
FTC asks Apple: Is patient data safe?
