A maintenance error that turned off a firewall on a computer server in one of 29 clinics in the Idaho State University healthcare system exposed more than 17,500 patient records for a period of 10 months. When the breach it was discovered in 2011, ISU self-reported to OCR as required by the HIPAA/HITECH data breach regulations.
Following a lengthy investigation, OCR has announced its first fine and corrective action plan agreement for 2013. ISU must pay a $400,000 fine and operate under a monitored correction plan for two years.
The deficiencies cited by OCR included:
ISU failed to conduct a risk analysis from April 2007 until November 2012;
Inadequate security measures from April 2007 until November 2012;
Inadequate procedures to review information system activity to determine if protected health information was inappropriately accessed or disclosed from April 2007 until June 2012.
The plan of correction requires a compliance gap analysis on Security Rule requirements and annual reports on training, review and updates of the ISU risk management plan, and review and updates of the information management system.