Oregon Health & Science Varsity to Pay The Office for Civil Rights $2.7 Million for 2013 Data Breaks
Oregon Health & Science University (OHSU) has consented to resolve a lawsuit with the Division of Health and Human Services’ OCR originating from 2 data breaks suffered in 2013. A fine of $2.7 million will be funded by OHSU to resolve suspected HIPAA breaches without confession of responsibility.
The secrecy breaks happened soon after each other during 2013. Within the duration of 3 months, the safeguarded health information of more than 7,000 sick persons was revealed.
The 1st break of patient files involved the thievery of an unencrypted laptop from a holiday apartment house in Hawaii which was hired by an OHSU doctor. The laptop had the PHI of 4,022 sick persons.
The 2nd case concerned the unintentional revelation of PHI through a cloud storage facility. Doctors were utilizing the Internet service to communicate a spreadsheet having patient files. Nonetheless, the cloud service supplier was a HIPAA BA of OHSU and no BA contract had been gotten before the service being utilized. As a result, the files of 3,044 patients were put at risk.
Along with the substantial fiscal fine, OHSU should implement a vigorous Corrective Action Plan (CAP) to make sure all safety issues are tackled and patient secrecy is sufficiently safeguarded. The CAP – which will continue for a duration of 3 years – also needs OHSU to present normal information to the OCR.
Both data breaks caused internal inquiries and methods were set up to upgrade safety and have the PHI of patients secret. OHSU obeyed the needs of the HIPAA Break Notice Law and notified patients of the breaks, released mass media notifications, and presented reports to the OCR. Impacted patients were also provided identity thievery security as well as credit checking facilities to assist manage risk.
Nevertheless, the OCR inquiry exposed HIPAA Laws had been defied. Had HIPAA Laws been obeyed, the breaks might have been avoided and patient files wouldn’t have been put at risk. Given the significance of the breaches, a fiscal fine was considered to be suitable.
As per a report released by Brigdet Barnes, OHSU’s CIO, OHSU is currently “financing at an unmatched level in practical steps to further protect patient information.”