Oklahoma State University Center for Health Services fined US$800k for cyber security failure

Oklahoma State University’s Center for Health Services has had to pay US$875,000 after a cyber attack exposed patients’ protected health information, which is a potential US Health Insurance Portability and Accountability Act (HIPAA) violation.

A hacker gained unauthorised access of electronic protected health information after installing malware on the Oklahoma State University’s Center for Health Services' web server.

Over 275,000 people were impacted by the breach, which resulted in the exposure of their names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and medical treatment information.

The Center for Health Services reported the breach to the US Department of Health and Human Services' Office for Civil Rights (OCR) under the Health Insurance Portability and Accountability Act (HIPAA).

The OCR concluded that, "in addition to the impermissible disclosure of patient information, the Center for Health Services failed to conduct an accurate and thorough risk analysis, to implement appropriate audit controls, security incident response and reporting", after conducting an investigation. The OCR also found that the Center for Health Services did not notify the affected individuals and OCR about the breach in a timely manner.

According to Rivkin Radler, a law firm based in New York state, the Center for Health Services is now required to comply with a corrective action plan that includes two years of monitoring by the OCR, workforce training, and implementation of robust security systems that follow HIPAA-compliant policies and procedures.

Commenting on the settlement, Rivkin Radler said that this is a "stark reminder for all covered entities".

Third-party cyber attacks can result in substantial fines under HIPAA if a covered entity "failed to have adequate cyber security measures in place to reduce its risks and mitigate any cyber breaches that may occur".