Oklahoma State University Pays $875,000 To OCR After Major Data Breach

The Oklahoma State University Center for Health Sciences (OSUCHS) has recently settled a HIPAA violation case for $875,000. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) brought the case to the University after an investigation into a major breach of sensitive data found several potential violations of the HIPAA Rules. 

The breach of data was detected by the university on November 7, 2017. It was discovered that an unauthorized third party had gained access to sections of the University’s computer network and potentially recovered files relating to the information of Medicaid patients. The information included names, healthcare provider names, Medicaid numbers, addresses, date of births, and treatment information. Upon discovery, a comprehensive forensic investigation was immediately conducted to determine how the network had been accessed, what parts had been accessed, and whether patient data had been stolen. OSUCHS determined that the hacker had installed malware on the University’s server and utilized the malware to access the personal information of approximately 280,000 individuals. Despite initially declaring the breach as occurring on November 7, 2017, it was later reported the hackers first gained access to the patient data on March 9, 2016. 

According to the OCR, OSUCHS has potentially violated several provisions of HIPAA law. These included the impermissible disclosure of ePHI, failure to provide timely breach notification to the Secretary of the HHS and affected individuals, failure to implement audit controls, failure to conduct a suitable risk-analysis, and failure to perform periodic evaluations in response to changes affecting the security of the ePHI they maintain. For these HIPAA violations, the OCR issued a financial penalty of $875,000 along with an order to implement an appropriate corrective action plan to solve faulty areas of non-compliance within their security. The OCR has committed to monitoring the OSUCHS’ compliance to HIPAA Rules for two years. Despite the hefty fine and corrective action plan order, the University has taken no admission of liability or wrongdoing.