Malware Leads to HIPAA Settlement

In case we needed a reminder of the cascading repercussions of cyberattacks, a nonprofit behavioral health services organization in Alaska has given us one. A few years back, Anchorage Community Mental Health Services (ACMHS) had a run-in with some malware on its IT systems. And now, like lemon juice on a paper cut, ACMHS’s malware incident has exposed it to more pain: a settlement with the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR). Last month, OCR announced that ACMHS had settled potential HIPAA Security Rule violations for a tidy sum of $150,000 and a two-year corrective action plan (CAP). The settlement stemmed from ACHMS’s self-report, in early 2012, that malware had resulted in a breach of unsecured electronic protected health information (ePHI), which affected more than 2,700 individuals. OCR initiated an investigation soon after, and found that: • Although ACMHS had adopted Security Rule policies and procedures, it had then failed to follow them; • ACMHS failed to conduct thorough risk assessments with respect to its ePHI; and • ACMHS failed to put in place appropriate security measures, such as a firewall and available software patches. Indeed, OCR noted that, “The security incident was a direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.” In addition...

Read More