Oklahoma State University Pays $875,000 to Resolve HIPAA Case with OCR

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has reported that Oklahoma State University – Center for Health Sciences (OSU-CHS) has decided to negotiate a HIPAA investigation arising from the hacking incident of a web server. OSU-CHS is going to pay a $875,000 financial penalty to take care of the potential violations of the HIPAA Security, Privacy, and Breach Notification Regulations.

OSU-CHS is a public research university that offers preventive, diagnostic, and rehabilitative care in Oklahoma. OCR started a HIPAA investigation because of a breach report submitted on January 5, 2018 related to an OSU-CHS web server hacking incident. OSU-CHS confirmed that malware was installed on the server thereby allowing the hacker(s) to get access to the electronic protected health information (ePHI) of 279,865 persons.

The data compromised and possibly acquired by an unauthorized third party involved names, healthcare company names, Medicaid numbers, dates of service, birth dates, addresses, and treatment details. OSU-CHS at first announced that the data breach happened on November 7, 2017; nevertheless, it was afterwards reported that the attackers initially gained access to patients’ ePHI 20 months ago on March 9, 2016,

According to the OCR investigators, OSU-CHS had potentially breached these terms of the HIPAA Regulations:

  • 45 C.F.R. § 164.502(a) – Impermissible disclosure of the ePHI of 279,865 persons
  • 45 C.F.R. § 164.308(a)(l)(ii)(A) – Inability to perform a comprehensive and accurate company-wide risk evaluation
  • 45 C.F.R. 164.308(a)(8) – Inability to execute a regular technical and nontechnical analysis according to environmental or operational adjustments impacting the safety of ePHI
  • 45 C.F.R. § 164.312(b) – Inability to apply audit controls
  • 45 C.F.R. § 164.308(a)(6)(ii) – A failure in security incident response and reporting
  • 45 C.F.R. § 164.404 – Inability to offer prompt breach notification to impacted persons
  • 45 C.F.R. § 164.408 – Inability to offer prompt breach notification to the HHS Secretary

Besides the financial charges, OSU-CHS has decided to implement a corrective action plan to take care of all sections of non-compliance found by OCR. Compliance with the HIPAA Rules and the corrective action plan will be tightly supervised for two years. The case was resolved without admitting any liability or wrongdoing.

OCR Director Lisa J. Pino explains that HIPAA-covered entities are prone to cyber-attackers when they overlook to fully grasp where they save ePHI in their data systems. Successful cybersecurity begins with an appropriate and comprehensive risk analysis and applying all of the Security Rule specifications.

This is the number five financial penalty issued by OCR in 2022 related to HIPAA violations. It is the 111th penalty issued by OCR since it became authorized to penalize HIPAA-regulated entities due to HIPAA violations.

About Christine Garcia 1295 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA