Anchorage Community Mental Health Services in Alaska has agreed to pay a five-figure fine and improve its HIPAA compliance program after an investigation by HHS found the group failed to appropriately safeguard patient data with outdated software.
A five-facility mental health organization will pay $150,000 to HHS to settle potential HIPAA violations after the organization failed to patch their systems and continued to run outdated, unsupported software that eventually led to a malware data breach affecting 2,743 individuals. ACMHS reported the breach to HHS in March 2012.
Following the investigation by HHS’ Office for Civil Rights, officials discovered ACMHS had adopted HIPAA security policies and procedures, but they were not followed by the organization’s employees for a seven-year period, from 2005 to 2012. The data breach of electronic protected health information resulted after ACMHS failed to “identify and address basic risks,” OCR officials wrote in a settlement bulletin. Specifically, the organization neglected to update IT resources with system patches and updated software.
Data breaches cost healthcare organizations billions of dollars, and protecting health information is now a big business. What made this case particularly important—beyond being a run-of-the-mill data breach incident—is that something as seemingly small as out-of-date IT led to HHS’ declaration of “breach” for the Alaska organization.
As the report noted, nearly 41.5 million people have had their protected health information compromised in a reportable HIPAA privacy or security breach.
It just goes to show that crafting a HIPAA security policy is one thing—but following it is quite another (and far more important).
Have you made sure your infrastructure is well protected and up-to-date? If not, it may be a good time to give us a call or email and let us assist you in the process. Having an experienced Healthcare IT professional take a look at your setup may be the difference in being compliant or having a hefty fine in front of you.