Oregon university pays $2.7M, agrees to corrective action plan following breaches

Data breaches affecting thousands of people have resulted in Oregon Health & Science University (OHSU) settling with HHS to resolve allegations of potential Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) violations. The settlement includes a $2.7 million payment as well as the implementation of a corrective action plan (CAP). The HHS Office for Civil Rights (OCR) stated that OHSU failed to correct system security issues despite several opportunities to do so.

Risk analysis and breaches

Between 2003 and 2013, OHSU performed six risk analyses that did not cover all electronic protected health information (ePHI) as required. Despite this limitation, widespread vulnerabilities were identified. OHSU did not properly implement security measures to address these issues and failed to create policies and procedures to allow the university to prevent, detect, and address security violations. Risk analysis revealed that lack of encryption was a vulnerability, but ePHI was still not encrypted.

As a result of OHSU’s inaction, several breaches occurred. Unencrypted laptops and a stolen unencrypted thumb drive resulted in several breaches. Protected information about thousands of people was stored on a cloud server without a proper security agreement. Over a thousand people had a diagnosis of a sensitive nature, presenting a significant risk of harm. This server also contained payment information, photos, Social Security numbers, driver’s license numbers, and procedures.

Resolution agreement

OHSU’s resolution agreement with HHS establishes OHSU’s responsibility to implement the CAP and pay the fee. In exchange, HHS releases OHSU from actions the agency could take due to the confidentiality issues. The CAP places various obligations on OHSU, starting with a thorough assessment of all risks and vulnerabilities to ePHI at all facilities, including all systems, networks, and devices that handle ePHI. A risk management plan must be created for implementing security measures and submitted to HHS for review and approval. HHS must also receive regular updates about encryption status and updates regarding OHSU’s compliance under the CAP.