UMMC reaches $2.75 settlement regarding missing laptop breach

JACKSON, Miss. (WJTV) — The University of Mississippi Medical Center agreed to pay a civil money penalty of $2.75 million regarding multiple alleged violations of the Health Insurance Portability and Accountability Act, according to the Office for Civil Rights with the U.S. Department of Health and Human Services.

The settlement is over at 2013 incident where a password-protected laptop computer went missing from the hospital’s Medical Intensive Care Unit. The $2.75 million will come from UMMC’s health-care operations revenue.

The laptop contained protected health information. ORC said the unsecured breach could have potentially affected about 10,000 people.

UMMC officials said they believe the laptop was stolen.

OCR’s investigation determined that information stored on a UMMC network drive vulnerable to unauthorized access. The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008. However, UMMC administrators said there was no evidence to show that health information was accessed or disclosed.

UMMC officials stated that they did not directly notify each person who could have been affected by the incident.

Below is a list of measures that ORC claimed that UMMC failed:

  • implement its policies and procedures to prevent, detect, contain, and correct security violations;
  • implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
  • assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI; and
  • notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.


As part of the settlement, OCR will require UMMC to implement a corrective action plan during the next three years, including updating its Information Security Policy. The revised policy will include a standard that, following the discovery of a breach of protected health information, UMMC will notify each person potentially affected by the breach.

Get more information about the settlement here. 


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s