The University of Washington Medicine (UWM) has agreed to settle HIPAA violations for $750,000 following a 2013 data breach that exposed the health information of 90,000 patients. The settlement also requires UWM to provide documentation on a structural reorganization of its compliance program. The Department of Health and Human Services' (HHS) Office for Civil Rights said this latest of sseveral HIPAA violation settlements shows the need for organizationwide risk analyses.

“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said Jocelyn Samuels, director of HHS' Office for Civil Rights, in a statement.

Wendy Giles, UWM chief operating officer for IT services, said the Seattle-based system's affiliates are now under the umbrella of its information security program.  The breach occurred after an employee downloaded an e-mail attachment that contained malicious malware. The malware compromised the organization's IT system, exposing patients' names, medical record numbers, charges and, in some cases, addresses, phone numbers, birth dates, Social Security numbers and insurance identification or Medicare numbers. The Office for Civil Rights' investigation found that UWM did not ensure all of its affiliates were properly conducting risk assessments and appropriately responding to potential risks.

This settlement with HHS is one of several in recent months. Triple-S Management Corporation agreed to a $3.5 million settlement, Lahey Hopital and Medical Center in Massachusetts paid $850,000 in a HIPAA settlement, and Cancer Care Group, a radiation oncology practice in Indianapolis, paid $750,000.