On May 21, 2013, the Department of Health and Human Services (HHS) announced that they had reached a resolution agreement with Idaho State University (ISU) for a breach that impacted 17,500 individuals. The breach occurred at ISU’s Pocatello Family Medicine Clinic due to servers with disabled firewall protections, leaving patient electronic protected health information (ePHI) unsecured for at least ten months.
Following the submission of a breach report to the HHS Office for Civil Rights (OCR), an investigation was conducted and revealed that ISU had not complied with HIPAA Security Rule requirements. This included failing to conduct a complete and adequate risk analysis and not implementing procedures to regularly review records of information system activity to identify any inappropriate use or disclosure of ePHI.
As a result of the alleged violations of HIPAA regulations, ISU will pay a $400,000 settlement. The incident serves as a reminder to healthcare organizations the importance of safeguarding patient health information and complying with regulatory requirements. The financial penalty highlights the potential consequences of non-compliance with HIPAA regulations, including damage to an organization’s reputation and significant financial penalties.
