Officials at the University of Mississippi Medical Center said Friday they have paid a $2.75 million penalty to the Office for Civil Rights at HHS as part of an agreement to resolve security problems found after the 2013 disappearance of a laptop computer that contained health information for as many as 10,000 people.
The federal agency said UMMC concluded, after an investigation, that a visitor to the intensive care unit probably stole the laptop after asking to borrow it. Because the laptop could access the medical center's wireless network, whoever took it could get to the data after entering a generic user name and password.
UMMC officials say there is no evidence that health information was accessed or disclosed.
"We have learned from this experience and are working hard to ensure that our information security program meets or exceeds the highest standard," Dr. LouAnn Woodward, vice chancellor for health affairs, said in a statement.
Medical center officials thought they had taken appropriate steps to publicize the loss but decided they didn't have enough information to try to notify people individually, medical center spokesman Tom Fortner told the Associated Press Friday. The federal agency disagreed, saying the medical center should have tried to notify individuals.
The agency also slammed UMMC for not doing enough to secure records and allowing ICU workers to use the laptop without individual user names. It said UMMC had been aware of some weaknesses as early as 2005, saying "yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight."
"We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access," Jocelyn Samuels, director of the Office for Civil Rights, said in a statement .
Fortner said he knew of no employees who had been fired or disciplined because of the problems, although he said some new employees had been hired to strengthen the medical center's procedures.
He said the medical center now assigns every computer to a particular user. A 14-page agreement between the agency and the medical center also lay out a series of other reforms, including requirements that UMMC designate a person to monitor compliance, draw up a risk management plan across the entire 10,000-employee hospital system, and
update its information security policies and its procedures for notifying people about breaches. The medical center also must assign employees individual user names.
Fortner said some of those changes have already started.
The agency regularly assesses fines greater than $1 million. UMMC had revenue of $1.45 billion in the year ending June 30, producing a surplus of $32 million. Fortner said UMMC set aside money to pay the fine in a previous budget year.
UMMC must report to the agency for three years under the agreement.