Oklahoma State University – Center for Health Services pays over $875,000 to settle hacking breach | Goodbye

What did the duck say when she went to buy lipstick? Put it on my bill! Speaking of bills (kind of money, not a bill), Oklahoma State University had to pay a huge bill of $875,000! It acts as a settlement for a huge violation of hacking OSU CHS web servers. Oklahoma State University has agreed to pay the price and implement a remediation plan over the next two years to resolve all violations of HIPAA breach notification, security, and privacy rules.

OCR received a breach report in 2018 due to hacking of OSU’s web servers. They discovered that the hacker in this breach had access to the electronic protected health information (ePHI) of 279,865 people. OSU discovered that the hackers gained access to ePHI patients earlier than they initially thought, on March 9, 2016.

OCR Director Lisa J. Pino says, “HIPAA-covered entities are vulnerable to cyber attackers if they fail to understand where ePHI is stored in their information systems.

As technology evolves in the healthcare industry, understanding how to appropriately secure personal health information (PHI) when storing or sending it is critical. With the increase in cybersecurity risks and the pervasiveness of electronic communications, it is imperative to secure your patient data. Encryption services are a great way to protect your practice and avoid these persistent HIPAA violations. Good news for you, you don’t have to be a sitting duck!

OCR reported that OSU failed to follow HIPAA rules by:

  • Unauthorized disclosure of ePHI of 279,865 people
  • Failure to complete a Risk analysis before and after violation
  • Failure to implement Audit controls
  • Failure to maintain appropriate security measures to protect ISP and reduce additional risks

Unfortunately for the Cowboys, their failure to maintain adequate security, risk analysis measures and compliance documentation cost them a hefty fine and put all OSU ePHI patients at risk. This violation, and the corresponding financial regulations, underscore that even for large organizations like OSU, good risk analysis practices and HIPAA-compliant policies are essential to prevent impermissible backup or access to ePHI.

Even as an independent practice, you might not feel like you have anything in common with a big fish like OSU. It doesn’t matter if you’re a duck, a fish or a cowboy – everyone is being watched and at risk. As the penalties for these violations become more severe, it’s more crucial than ever to ensure your firm has a robust HIPAA program in place.

[View source.]