April has been a busy month for the OCR. As of the writing of this email, there has been 2 HIPAA settlements for potential violations of the HIPAA Security Rules, and 1 settlement for the potential violation of the Privacy Rules. Potential non-compliance of the security rules were due to a stolen, unencrypted laptop (2012 incident) costing $2.5M, impacting 1,391 patients. An unauthorized disclosure due to a phishing attack (2012) costing $400K, impacting 3,200 patients. A lack of appropriate business associate contracting process (2015) in place costing $31K, impacting an unknown number of patients.
- Ensure Business Associate Agreements are in place with all vendors with access PHI/ePHI.
- Encrypt all high risk assets (e.g., laptops, tablets, phones, unsupervised/untethered desktops, removable media such as backup tapes and flash media).
- Enhance security awareness to include training regarding Phishing and other social engineering attacks.
You can find the corrective Action Plans here: