The University of Mississippi Medical Center is being penalized $2.75 million for a health data breach by the U.S. Department of Health and Human Services.

The hospital also must implement a three-year corrective plan to correct shortcomings found in an investigation.

The Hill reports the fine came for a series of violations of Health Insurance Portability and Accountability Act privacy and security requirements. The hospital agreed to settle with HHS’s Office of Civil Rights, without admitting liability, in the case of a password-protected laptop that was stolen, probably by a visitor to the hospital’s intensive care unit who had asked to borrow the laptop.

Although the laptop itself was protected by a generic username and password, it allowed easy access to the hospital network and to the private health data for 10,000 patients. The laptop was assigned to the intensive care unit, and although individual logins were required to access the network, no such barrier stood between a user and the patient record database.

Although the hospital did concede some shortcomings — the agency cited after its investigation such failures as a lack of physical safeguards for workstations that contained protected data, failure to track users accessing electronic health information and failure to notify all the individuals who were affected by the breaches — it said that there was no indication that any protected data were accessed.

Just days earlier, the Office of Civil Rights settled with Oregon Health & Science University in another HIPAA case; this time the penalty was $2.7 million after four breaches in 2012 and 2013 resulted in the data of more than 3,000 individuals being compromised. Two unencrypted laptops and one unencrypted thumb drive were lost or stolen. In addition, the agency said the hospital never implemented a required security agreement with a cloud service provider storing the health data.

The Office of Civil Rights is boosting enforcement even as HHS hopes to boost protections for health data that fall beyond the HIPAA framework. Wearable technologies and mobile apps are not covered by HIPAA requirements, but collect and transmit health data from users without being required to protect it in the same way healthcare providers are bound.

Karen DeSalvo, the director of th Office of Civil Rights, has urged Congress in a blog post to expand protection for those kinds of health data; in a report to Congress, the Office of the National Coordinator for Health IT has advised how wearables are not covered by existing privacy laws.

Instant Insights /

Privacy breach costs Mississippi medical center $2.75 million

More From HR Executive

Related Stories

Recommended For You