Medical center settles privacy charges stemming from stolen laptopReprints
The University of Mississippi Medical Center has agreed to pay $2.75 million to settle charges it violated the Health Insurance Portability and Accountability Act in connection with a stolen laptop.
The U.S. Department of Health and Human Services' Office for Civil Rights said in a statement last week that it was notified in March 2013 of a breach affecting about 10,000 individuals after the Jackson, Mississippi-based center's privacy officer discovered a password-protected laptop was missing from its medical intensive care unit.
The center's investigation concluded it had likely been stolen by a visitor to the center who had inquired about borrowing one of the laptops, according to the OCR.
The OCR said its investigation revealed that personal health information stored on a network drive was vulnerable to unauthorized access via the center's wireless network because users could access an active directory containing 67,000 files after entering a general user name and password.
The directory included 328 files containing the personal health information of an estimated 10,000 patients dating back to 2008, the statement said.
The OCR said its investigation revealed the center had failed to implement policies and procedures to prevent, detect, contain and correct security violations; implement physical safeguards for all workstations that access personal health information to restrict access to authorized users; assign a unique user name and/or number for identifying and tracking user identity in information containing personal health information; and notify each individual whose unsecured health information was reasonably believed to have been accessed.
The center said in a statement that, as part of the settlement agreement, it is required to implement a corrective action plan during the next three years, including updating its information security policy.
It said the revised policy will include a standard that, following the discovery of a breach of protected health information, it will notify each individual potentially affected by the breach. It will also be required to demonstrate that each user with access to confidential health information must be individually identifiable, to deter access by unauthorized users.
The center, which is not admitting liability, also said that over the last several years it has “initiated substantial improvements” in its information security program.
It said that among other initiatives, it is requiring that all laptop computers have encryption software installed; has restructured the role and reporting relationships of its chief information security officer; and has brought in an outside firm for a complete assessment and overhaul of its information technology security program.
“Our patients should never have to doubt that their privacy is sacred trust that we are committed to protecting as part of our core ethical values,” Dr. LouAnn Woodward, the university's vice chancellor for health affairs, said in the medical center's statement. “We have learned from this experience and are working hard to ensure that our information security program meets or exceeds the highest standard.”