JACKSON, Miss. (WJTV) — The University of Mississippi Medical Center agreed to pay a civil money penalty of $2.75 million regarding multiple alleged violations of the Health Insurance Portability and Accountability Act, according to the Office for Civil Rights with the U.S. Department of Health and Human Services.
The settlement is over at 2013 incident where a password-protected laptop computer went missing from the hospital’s Medical Intensive Care Unit. The $2.75 million will come from UMMC’s health-care operations revenue.
The laptop contained protected health information. ORC said the unsecured breach could have potentially affected about 10,000 people.
UMMC officials said they believe the laptop was stolen.
OCR’s investigation determined that information stored on a UMMC network drive vulnerable to unauthorized access. The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008. However, UMMC administrators said there was no evidence to show that health information was accessed or disclosed.
UMMC officials stated that they did not directly notify each person who could have been affected by the incident.
Below is a list of measures that ORC claimed that UMMC failed:
- implement its policies and procedures to prevent, detect, contain, and correct security violations;
- implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
- assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI; and
- notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.
As part of the settlement, OCR will require UMMC to implement a corrective action plan during the next three years, including updating its Information Security Policy. The revised policy will include a standard that, following the discovery of a breach of protected health information, UMMC will notify each person potentially affected by the breach.