Anchorage Community Mental Health Services, Inc. (“ACMHS”) will pay $125,000 to the United States Department of Health and Human Services, Office for Civil Rights (“OCR”) to settle alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”). The settlement arises from a breach of unsecured electronic protected health information (“PHI”) due to malware that compromised the security of ACMHS’s information technology resources. Over 2,700 individuals were affected by the breach. ACMHS provides behavioral health care services to children, adults, and families in Anchorage, Alaska.
After receiving notification from ACHMS of this security incident in 2012, OCR conducted an investigation and found that ACMHS failed to do the following:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by ACMHS;
Implement policies and procedures requiring implementation of security measures sufficient to reduce risks and vulnerabilities to its e-PHI to a reasonable and appropriate level; and
Implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.
This settlement highlights the need for organizations that are handling PHI to properly assess their information technology systems and update their software. OCR stated that the “security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.”
Further, OCR Director Jocelyn Samuels emphasized that, “[s]uccessful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
To read the Bulletin, click here.
To read the Resolution Agreement, click here.