Oklahoma State University’s Center for Health Services recently paid $875,000 to settle potential HIPAA violations after a cyberattack resulted in the unauthorized access of its patients’ protected health information. A hacker installed malware on the Center’s web server which contained electronic protected health information. More than 275,000 individuals were affected by the breach, which resulted in the unauthorized disclosure of their names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and medical treatment information.

As required under HIPAA, the Center reported the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). After conducting an investigation, OCR concluded that, in addition to the impermissible disclosure of patient information, the Center failed to conduct an accurate and thorough risk analysis, to implement appropriate audit controls, security incident response and reporting, and to timely notify the affected individuals and OCR about the breach.

In addition to the monetary fine, the Center is required to comply with a corrective action plan which includes two years of monitoring by OCR, workforce training, and implementing robust security systems and HIPAA-compliant policies and procedures. This settlement is a stark reminder for all covered entities that third-party cyberattacks can result in substantial fines under HIPAA if the covered entity failed to have adequate cybersecurity measures in place to reduce its risks and mitigate any cyber breaches that may occur.