The Alaska Department of Health and Social Services (DHSS) has agreed to pay a $1.7 million federal fine to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
As part of their agreement with the U.S. Department of Health and Human Services (HHS), Alaska’s DHSS has also agreed to revise, review and maintain policies and procedures meant to keep the agency in compliance.
“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), in a statement. “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
Rodriguez’s office began its investigation following a breach report submitted by Alaska DHSS. The report indicated that a USB drive possibly containing sensitive medical information was stolen from the vehicle of a DHSS employee. During the investigation, OCR found that the state agency did not have adequate procedures in place to safeguard information, and had not completed a risk analysis, implemented risk management measures or completed security training for its workforce. It had also not implemented device and media controls or addressed device and media encryption as required by HIPPA, according to HHS.
As part of the settlement, a monitor will report back to OCR regularly on the state’s ongoing compliance efforts.
“The good news is no fraud has been reported related to the loss of this hard drive and this was an opportunity for HHS to discover the lack of compliance before another incident occurs,” blogged Chester Wisniewski, senior security advisor for Sophos Canada.
“Whatever type of sensitive information your organization gathers, the easiest way to ensure it isn’t stolen, leaked by hackers or accidentally discovered on an old USB key is to protect the information from the beginning,” he added. “Rather than worry about whether something is a mobile device or removable drive, encrypt it anyway. Base your decisions of what the information is, rather than where it is.”