The Anchorage Community Mental Health Services (ACMHS) just agreed to pay a $150,000 fine after a 2012 breach of approximately 2,500 patients protected Health Information (PHI) due to malware on their healthcare software system according to Healthcare IT News.
Apparently ACMHS had adopted the sample Security Rule policies in 2005 but didn’t bother to follow them from 2005 to the date of the breach in 2012. As a result, they ran outdated, unpatched software leading to the breach.
In addition to the $150,000 fine, they agreed to a corrective action plan lasting two years, which, if they complete successfully, they are off the hook for this HIPAA violation.
While this organization had 5 locations, if they only have 2,743 patients, they are small.
On the other hand, the good, old fashioned paper breaches are still going strong. Parkview Health System in Ft. Wayne Indiana decided that placing 71 boxes of patient records on the driveway of a retiring physician (who was out of town) was a good plan. They had to cough up $800,000 in fines.
But these fines are not limited to the small guys. New York Presbyterian Hospital/Columbia University Medical System paid a $4.8 million fine after patient records for 6,800 patients would up on Google back in 2010.
These 3 incidents represent a small part of the $26 million in fines the Feds have levied against healthcare entities so far.
While having a good cyber security program won’t stop you from having a breach, it will improve the odds. For example, If your cyber security program requires you to encrypt data on laptops and tablets and you actually do that, when one of your employees loses a device containing PHI, you have a safe harbor meaning that you don’t have to pay a fine.