Anchorage Community Mental Health Services has agreed to pay $150,000 to settle a potential federal health data security rule violation. The settlement comes after a malware incident that exposed identifiable information on 2,742 individuals, the Office for Civil Rights at HHS announced.
In addition, the five-facility not-for-profit provider of behavioral health services has agreed to adopt a corrective action plan to address deficiencies in its compliance program under the Health Insurance Portability and Accountability Act. For a two-year period, it will report to the civil rights office on its state of HIPAA compliance, according to the OCR statement (PDF).
“Successful HIPAA compliance requires a common-sense approach to assessing and addressing the risks to ePHI (electronic protected health information) on a regular basis,” OCR Director Jocelyn Samuels said. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
The statement from the federal agency, the main federal enforcement entity for violations of the HIPAA privacy and security rules, said the security incident “was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.”
The records were exposed while on a desktop computer during the period beginning Dec. 20, 2011 and Jan. 4, 2012, according to a posting on the ONC's “wall of shame” website of healthcare data breaches involving the records of 500 or more individuals.
Since the public website was launched in September 2009 as a mandate under the more stringent privacy provisions of the American Recovery and Reinvestment Act, 1,170 breaches have been reported to the civil-rights office involving the records of nearly 41.5 million individuals.
Last month, Beth Israel Deaconess Medical Center agreed to pay a $100,000 settlement as part of an agreement with Massachusetts state regulators following a breach of roughly 4,000 patient records on a stolen, unencrypted laptop computer.
Follow Joseph Conn on Twitter: @MHJConn