A 2016 breach at Oklahoma State University Center for Health Sciences (OSUCHS) might not have seemed all that serious at the time: No data is believed to have been misused, credit monitoring services were not offered and—another rarity—OSUCHS was never the subject of a class-action suit.
Yet last month, OSUCHS found itself in a settlement with the HHS Office for Civil Rights (OCR) for alleged HIPAA violations, paying $875,000 and agreeing to a two-year corrective action plan (CAP) that includes the little-employed requirement to appoint an independent monitor to oversee it.[1]
An OSUCHS spokesperson said the settlement was the product of lengthy negotiations with OCR. On July 14, OCR said its investigation found that OSUCHS violated the Privacy, Security and Breach Notification rules.[2] OCR’s documents show OSUCHS’ initial discovery of the breach was marked by misinformation and missteps, although the spokesperson provided more insights into what happened.
In a Jan. 5, 2018, public breach notice by the organization, OSUCHS officials said that on Nov. 7, 2017, they “learned an unauthorized third party had gained access to folders on the OSUCHS computer network. These folders stored Medicaid patient billing information. On November 8th, we took immediate action to remove the folders from the computer network and terminated the third party access. We also launched a thorough investigation, including hiring an independent data security firm. The firm assisted us in determining whether the folders had been compromised.”[3]
The notice, reported by DataBreaches.net, said OSUCHS’ investigation “could not rule out whether the third party explicitly accessed patient information. The information in the folders may have included patients’ names, Medicaid numbers, healthcare provider names, dates of service, and limited treatment information. It is important to note these folders did not contain medical records. A single social security number was contained on the server.”
Officials added that they had “no conclusive indication of any inappropriate use of patient information. However, out [of] an abundance of caution, we began mailing letters to affected patients on January 5, 2018. We also established a dedicated call center to answer any questions [you] may have. If you believe your information was affected and do not receive a letter by February 15, 2018, or if you have questions regarding this incident, please call 1-844-551-1727, Monday through Friday, 8 am to 8 pm Central Time. For patients affected by this incident, please be alert to any healthcare services you did not receive from any of your providers. If you learn of any services you did not receive, please contact your provider and Medicaid immediately.”
The notice ended with the familiar pledge to protect patient information. “At OSU Center for Health Sciences, we care deeply about our patients. Patient confidentiality is a critical part of our commitment to care and we work diligently to protect patient information. We apologize for any concern or inconvenience this incident may cause our patients. Since this incident, we have implemented additional security measures to enhance the protection of our patient information.”
Access First Occurred in 2016
However, the date of the breach was later changed to a full 20 months earlier than OSUCHS had originally stated. According to OCR, electronic protected health information (ePHI) “was first impermissibly disclosed on March 9, 2016.”
The agreement states that on Sept. 25, 2016, OSUCHS “discovered that an unauthorized user had previously accessed the same server, with the first date of access occurring on March 9, 2016.” But it also didn’t believe at the time that “there was electronic PHI stored on that server,” which turned out to be incorrect. OCR said nearly 290,000 individuals’ records were affected.
According to OSUCHS spokesperson Monica Roberts, officials “originally discovered the vulnerability in 2016 and took corrective actions. In 2017 we discovered that the corrective actions did not resolve the issue and that was the time we also discovered that PHI was vulnerable.”
Roberts added that “we were never able to establish that a hacker actually accessed any protected information.” Although the vulnerability was uncovered, there was “no evidence that the data was ever accessed.” She confirmed that only Medicaid data was involved. “This was claims-level data like what you would see from a claims clearinghouse. We were not using it for research purposes,” she pointed out.
The payment and settlement were “the result of years of investigation and negotiation with OCR,” Roberts said. “While there is no evidence that any PHI was actually accessed, we look forward to working with the approved monitor to improve our policies and procedures to make sure we are meeting our obligations to our patients to protect their personal information.”
Within 60 days of the agreement’s effective date, OSUCHS is required to hire an “independent monitor,” or “designate an individual or entity, to be a monitor and to review OSU-CHS’s compliance with this CAP.”
Monitor to Aid, Report on Compliance
The monitor’s duties include conducting reviews to “address and analyze OSU-CHS’s compliance with this CAP. The Monitor will assist OSU-CHS in conducting assessments to ensure the implementation specifications as described in the Security Rule to prevent, detect, and respond to potential risks and vulnerabilities to ePHI within its environment. The Monitor will assist in the collection of data to serve as evidence of the effectiveness of OSU-CHS’s compliance program. The Monitor will further define and recommend the tools to assist OSU-CHS in protecting the ePHI it creates, receives, maintains, and transmits. In addition, the Monitor will recommend security measures to ensure the confidentiality, integrity, and availability of ePHI received, created, maintained, and transmitted within OSU-CHS’s covered components,” according to the CAP.
OSUCHS can’t terminate or remove the monitor without prior approval from HHS. Conversely, HHS can require such termination if it “has reason to believe that a Monitor does not possess the expertise, independence, or objectivity required by this CAP, or has failed to carry out its responsibilities as set forth in this CAP.” HHS can also “conduct its own review to determine whether the Monitor reviews or reports complied with the requirements of the CAP and/or are inaccurate,” which it calls a “validation review.”
Under the CAP, OSUCHS also must undertake a “security management process,” which includes a “comprehensive, enterprise-wide risk analysis of the security threats and vulnerabilities” of ePHI that it has “created, received, maintained or transmitted” and reside on “electronic media, workstations, and information systems owned, controlled or leased” by the organization.
A version of this story originally appeared in Report on Research Compliance, RMC’s sister publication.[4] For more information, see https://www.hcca-info.org/rrc.