In case we needed a reminder of the cascading repercussions of cyberattacks, a nonprofit behavioral health services organization in Alaska has given us one. A few years back, Anchorage Community Mental Health Services (ACMHS) had a run-in with some malware on its IT systems. And now, like lemon juice on a paper cut, ACMHS’s malware incident has exposed it to more pain: a settlement with the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR).
Last month, OCR announced that ACMHS had settled potential HIPAA Security Rule violations for a tidy sum of $150,000 and a two-year corrective action plan (CAP). The settlement stemmed from ACHMS’s self-report, in early 2012, that malware had resulted in a breach of unsecured electronic protected health information (ePHI), which affected more than 2,700 individuals. OCR initiated an investigation soon after, and found that:
• Although ACMHS had adopted Security Rule policies and procedures, it had then failed to follow them;
• ACMHS failed to conduct thorough risk assessments with respect to its ePHI; and
• ACMHS failed to put in place appropriate security measures, such as a firewall and available software patches.
Indeed, OCR noted that, “The security incident was a direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.”
In addition to the $150,000 fine, the CAP requires ACMHS to:
• Update its Security Rule policies and procedures and distribute them to its workforce;
• Re-train its workforce on security awareness and provide annual training thereafter;
• Conduct an annual risk assessment and annually update its risk management plan;
• Ensure that all of its IT resources are supported and regularly updated; and
• Submit an annual compliance report to HHS.
This case also illustrates the importance of following through on your privacy and security commitments. Adopting policies and procedures for the HIPAA Privacy and Security Rules won’t do you any good if you put them in a drawer and forget about them. Compliance should always be top-of-mind, whether you’re handling patient files, conducting a risk assessment, or clicking the “update” button on your software.
The ACMHS resolution agreement can be found here.