University of Mississippi Medical Center to pay $2.75M to settle HIPAA violations over stolen laptop

Jackson-based University of Mississippi Medical Center will pay $2.75 million and adopt a corrective action plan to resolve potential HIPAA violations concerning a stolen laptop that breached the protected health information of approximately 10,000 individuals.

OCR launched an investigation into UMMC in March 2013 after the health system reported a password-protected laptop was missing from the Medical Intensive Care Unit. UMMC's internal investigation suggested a visitor who had previously inquired about borrowing one of the laptops had stolen it.

The laptop contained protected health information that was easily accessible to unauthorized users who could access an active directory with such information using a generic username and password. The files included information on patients dating back to 2008.

OCR's investigation determined UMMC was aware of risks and vulnerabilities to its systems prior to the breach but had not initiated any risk management activity until after the breach "due largely to organizational deficiencies and insufficient institutional oversight," according to an OCR statement.

Additionally, UMMC did not notify each individual whose protected health information was compromised in the breach.

"We did not feel like we had adequate contact information for the individuals affected — or even a way to develop a reliable list — to make individual contact," UMMC spokesperson Tom Fortner told Mississippi Today. "So, as required by [HIPAA] in such situations, we posted information about the breach on our website for 90 days and provided information about the breach to the news media."

OCR's investigation also found UMMC failed to implement risk and security management policies and procedures; implement physical safeguards to workstations containing protected health information; and assign unique usernames or numbers for identifying and tracking identities of those using systems that contain protected health information.

"In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame," Jocelyn Samuels, director of the OCR, said in a statement. "We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI."

More articles on HIPAA:

ProPublica posts HIPAA violation notification letters in ongoing patient privacy series 
Oregon Health & Science University to pay $2.7M to settle 2013 HIPAA violations 
HHS: Ransomware attacks considered breaches in most cases 

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months