Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy & Compliance

Alaska Fined $1.7 Million for HIPAA Violations

The Alaska Department of Health and Social Services (DHSS) has agreed to pay a $1.7 million federal fine to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

As part of their agreement with the U.S. Department of Health and Human Services (HHS), Alaska’s DHSS has also agreed to revise, review and maintain policies and procedures meant to keep the agency in compliance.

The Alaska Department of Health and Social Services (DHSS) has agreed to pay a $1.7 million federal fine to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

As part of their agreement with the U.S. Department of Health and Human Services (HHS), Alaska’s DHSS has also agreed to revise, review and maintain policies and procedures meant to keep the agency in compliance.

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), in a statement.  “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

Rodriguez’s office began its investigation following a breach report submitted by Alaska DHSS. The report indicated that a USB drive possibly containing sensitive medical information was stolen from the vehicle of a DHSS employee. During the investigation, OCR found that the state agency did not have adequate procedures in place to safeguard information, and had not completed a risk analysis, implemented risk management measures or completed security training for its workforce. It had also not implemented device and media controls or addressed device and media encryption as required by HIPPA, according to HHS.

As part of the settlement, a monitor will report back to OCR regularly on the state’s ongoing compliance efforts.

“The good news is no fraud has been reported related to the loss of this hard drive and this was an opportunity for HHS to discover the lack of compliance before another incident occurs,” blogged Chester Wisniewski, senior security advisor for Sophos Canada.

“Whatever type of sensitive information your organization gathers, the easiest way to ensure it isn’t stolen, leaked by hackers or accidentally discovered on an old USB key is to protect the information from the beginning,” he added. “Rather than worry about whether something is a mobile device or removable drive, encrypt it anyway. Base your decisions of what the information is, rather than where it is.”

Written By

Click to comment

Expert Insights

Related Content

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...

Privacy

A top U.S. intelligence official on Thursday urged Congress to renew sweeping powers granted to American spy agencies to surveil and examine communications, saying...