The Department of Health and Human Services’ Office for Civil Rights announced a $2.75 million fine following a Mississippi health center’s patient privacy violation.
The July 22 announcement comes after an OCR investigation determined the University of Mississippi Medical Center violated the Health Insurance Portability and Accountability Act, or HIPAA, multiple times in 2013, reports thehill.com. The medical center did not admit liability for the violations as part of the settlement.
The violations stem from what federal officials deemed inadequate computer security measures that were in place when a laptop in the hospital’s intensive care unit was likely stolen. The laptop held the protected health information, or PHI, of 10,000 patients.
RELATED: OCR Enters $650K Agreement with Healthcare Business Associate
An investigation into the computer theft determined that many parts of the patient record database were accessible without log in credentials, although a password was required to access the health center’s network. Federal investigators also characterized the username and password for the device as “generic.”
Under the settlement, UMMC will address security deficiencies identified in the investigation. Those problems include the absence of tracking features on network accounts accessing patient health information, the lack of physical safeguards for workstations containing protected data and the failure to alert all patients that may have been affected by the computer theft.
UMMC released a statement saying that it has undertaken several initiatives aimed at improving data security since the 2013 computer theft, including the mandatory installation of encryption software on all computers.
UMMC also hired an outside firm to assess its cybersecurity measures. That firm helped the medical center overhaul its IT security program.
Read Next: OCR Sends Message to Healthcare Industry with 2 HIPAA Settlements