Breach Costs OK State Nearly $900K; TX System Settles Access Complaint

By Theresa Defino

A breach of protected health information (PHI) six years ago caused by a hacker who accessed Medicaid records has cost Oklahoma State University Center for Health Sciences (OSUCHS) an $875,000 fine, and it also must undertake a litany of corrective actions, including the unusual step of appointing a monitor to oversee those efforts.[1]

The pricey settlement with the HHS Office for Civil Rights (OCR) comes despite the fact that the breach outwardly didn’t seem all that serious at the time: no data is believed to have been misused, credit monitoring services were not offered and—another rarity—OSUCHS was never the subject of a class-action suit over the breach.

Yet OCR on said July 14 its investigation found that OSUCHS violated the HIPAA Privacy, Security and Breach Notification rules.[2] An OSUCHS spokesperson told RRC the settlement was the product of lengthy negotiations with OCR.

In addition to the requirement for a monitor, the terms of the agreement harken back to OCR’s settlements in prior years that found a lack of electronic protections and unmet requirements, including security risk assessments.

The settlement is the second in July involving an academic health system. A day after the OSUCHS announcement, OCR said it had reached 11 additional agreements related to covered entities not providing patients access to their medical records—bringing the total settlements under this initiative to 38.[3]

Memorial Hermann Health System (MHHS), a 17-hospital chain based in southeast Texas, paid $240,000 and agreed to a two-year corrective action plan (CAP) for failing to provide a single patient access to her records in a timely manner, the agency said.[4]

MHHS’ payment is the biggest OCR has collected under this initiative; the previous record-holder was Banner Health of Phoenix, Arizona, which paid $200,000 related to two patients who lodged access complaints with OCR.

Breach Notification Was Made in 2018

OCR refers in its documents to OSUCHS as OSU-CHS, which it described as a “public land-grant research university which provides preventive, rehabilitative, and diagnostic care in Oklahoma.” OCR’s documents show OSUCHS’ initial discovery of the breach was marked by misinformation and missteps, although the spokesperson provided more insights into what happened.

In a Jan. 5, 2018, public breach notice by the organization, OSUCHS officials said that on Nov. 7, 2017, they “learned an unauthorized third party had gained access to folders on the OSUCHS computer network. These folders stored Medicaid patient billing information. On November 8th, we took immediate action to remove the folders from the computer network and terminated the third party access. We also launched a thorough investigation, including hiring an independent data security firm. The firm assisted us in determining whether the folders had been compromised.”[5]

The notice, which was reported by DataBreaches.net, said OSUCHS’ investigation “could not rule out whether the third party explicitly accessed patient information. The information in the folders may have included patients’ names, Medicaid numbers, healthcare provider names, dates of service, and limited treatment information. It is important to note these folders did not contain medical records. A single social security number was contained on the server.”

Officials added that they had “no conclusive indication of any inappropriate use of patient information. However, out an abundance of caution, we began mailing letters to affected patients on January 5, 2018. We also established a dedicated call center to answer any questions our patients may have. If you believe your information was affected and do not receive a letter by February 15, 2018, or if you have questions regarding this incident, please call 1-844-551-1727, Monday through Friday, 8 am to 8 pm Central Time. For patients affected by this incident, please be alert to any healthcare services you did not receive from any of your providers. If you learn of any services you did not receive, please contact your provider and Medicaid immediately.”

The notice ended with the familiar pledge to protect patient information. “At OSU Center for Health Sciences, we care deeply about our patients. Patient confidentiality is a critical part of our commitment to care and we work diligently to protect patient information. We apologize for any concern or inconvenience this incident may cause our patients. Since this incident, we have implemented additional security measures to enhance the protection of our patient information,” it said.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings