Is Your Hospital Exposed?

$150K HIPAA Fine for Unpatched Software, OCR Imposes Penalty on Alaska Mental Health Provider


Federal regulators sent a message about the importance of applying software patches when they dropped a $150,000 HIPAA sanction on Anchorage Community Mental Health Services. The Department of Health and Human Services’ Office for Civil Rights says ACMHS failure to apply software patches contributed to a 2012 malware-related breach that affected more than 2,700 people.

The HIPAA settlement in the Alaska case marks the first time OCR has penalized a provider for unpatched software, which is not specifically addressed in the HIPAA Security Rule.


This settlement is the third HIPAA resolution agreement issued by OCR in 2014. OCR announced a record $4.8 million settlement in May with New York-Presbyterian Hospital and Columbia University. There was a breach of unsecured patient data on a network, affecting about 6,800 patients. In that settlement, OCR cited the lack of a risk analysis and failure to implement appropriate security policies.

The other 2014 OCR resolution agreement was an $800,000 settlement with Parkview Health System. The provider agreed to the settlement involving potential violations of the HIPAA Privacy Rule as a result of a June 2009 incident involving the dumping of 5,000 to 8,000 patients’ paper medical records.


Managing Risk


Most OCR corrective action plans focus on policies, procedures and other forms of documentation. Often, people are surprised to discover that there is nothing specifically written in the HIPAA Security Rule regarding vulnerability or patch management, firewalls, and monitoring of inbound and outbound traffic. However, it is difficult to manage risk appropriately without these security practices.

A meaningful risk analysis must include looking beyond the minimum requirements in the HIPAA Security Rule and exercising proper due diligence to properly evaluate any risk factors that could affect patient information.

This is a wake-up call that people should be looking very closely at the security risk assessment tools available from ONC and OCR, as well as NIST [National Institute of Standards and Technology].

The lesson here is that when a vendor sends a software patch or update, they should be applied immediately. That includes operating systems, electronic health records, practice management – and any electronic tool containing PHI.


If you have questions about risk assessment and vulnerabilities give ITPAC a call today.