AK organization settles HIPAA violations for $150K

A mental health organization in Alaska has agreed to pay a fine and improve its HIPAA compliance program after a Department of Health and Human Services (HHS) investigation found the group failed to appropriately safeguard patient data. Anchorage Community Mental Health Services (ACMHS) will pay $150,000 to settle potential HIPAA violations after the organization failed to patch their systems and continued to run outdated, unsupported software that eventually resulted in a malware data breach affecting 2,743 individuals. The breach was reported in March 2012. The investigation by the HHS' Office for Civil Rights (OCR) found that ACMHS had adopted HIPAA security policies and procedures, but they were not followed by employees for a seven-year period, from 2005 to 2012. The data breach of electronic protected health information (ePHI) occurred after ACMHS failed to "identify and address basic risks," OCR officials wrote in a settlement bulletin, addressing the organization's neglect in updating IT resources with system patches and updated software. "Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," said OCR Director Jocelyn Samuels, in the December bulletin. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks." In addition to the $150,000 settlement, Anchorage Community Mental Health Services will be required to implement a corrective action plan and report to OCR on its compliance program.