DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Alaska Medicaid settles HIPAA security case for $1,700,000

Posted on June 26, 2012 by Dissent

It was one of the first breaches reported to HHS under HITECH, and it had never been in any media reports that I had seen.  Even to this day, HHS’s breach tool does not provide any specifics other than 501 people were affected by the theft of a USB drive. But in a press release today, HHS/OCR announced it had settled charges against the state over the breach and provided some details:

The Office for Civil Rights (OCR) received a Breach Report from the DHSS dated October 30, 2009. The document indicated that a portable electronic storage device potentially containing electronic protected health information (e-PHI) was stolen from the vehicle of a DHSS computer technician on or about October 12, 2009.

On January 8, 2010, OCR notified DHSS that it will be conducting an investigation. On March 3, 2010, June 1, 2010, November 19, 2010, and April 1, 2011, OCR received DHSS’ written responses, policies, procedures, information regarding training activities, and documentation related to compliance with the Privacy and Security Rules. On June 17-18, 2010, OCR conducted a site visit to interview selected DHSS workforce members. OCR also received information from DHSS through email and telephone contacts throughout this investigation.

As a result of its investigation, OCR determined that DHSS had not 1) completed a risk analysis (See 45 C.F.R. § 164.308(a)(1)(ii)(A)); 2) implemented sufficient risk management measures (See 45 C.F.R. § 164.308(a)(1)(ii)(B)); 3) completed security training for DHSS workforce members (See 45 C.F.R. § 164.308(a)(1)(ii)(A)(5)(i)); 4) implemented device and media controls (See 45 C.F.R. § 164.310 (d)(1)); and 5) addressed device and media encryption (See 45 C.F.R. § 164.312(a)(2)(iv).

According to the press release today:

The Alaska Department of Health and Social Services (DHSS), the state Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.

The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee.  Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI.  Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.

In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule.  A monitor will report back to OCR regularly on the state’s ongoing compliance efforts.

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez.  “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

OCR enforces the HIPAA Privacy and Security Rules. The Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.

The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the HHS Secretary Sebelius and the media.  Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at:  http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

The HHS Resolution Agreement can be found athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html

Category: Uncategorized

Post navigation

← Mexico / Spain Telecommunication Network Hacked, 84,000 Accounts Leaked .c0mrade
Programming Note →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.