Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider
On December 8, 2014, the Office of Civil Rights (OCR) announced a settlement with the Anchorage Community Mental Health Services (ACMHS) involving allegations of violations of the HIPAA Security Rule. Under the Resolution Agreement, ACMHS will pay $150,000 to settle  the investigation.

A few preliminary comments.... This settlement is a good reminder that healthcare organizations and providers must put appropriate technical controls in place and review their policies and procedures on a regular basis. Organizations must ensure that their information technology systems contain the latest patches, that they have both inbound and outbound firewalls, and that they are using current software. Using current software may be particularly problematic, however, where certain functionality only works on certain version of a particular software. For example, some lab systems only work on Windows XP. In such instances, organizations must take appropriate steps to mitigate risks.

Additionally, data breaches (or potential data breaches) caused by malware or other similar malicious software are reportable to the Office of Civil Rights.

Interestingly, the OCR appears to be following in the footsteps of the SEC and requiring ownership or officer attestation. As part of the remediation plan, OCR is requiring an "attestation signed by an owner or officer of ACMHS attesting that all information system resources are currently supported and updated with available patches."

ACMHS is an Anchorage, Alaska based five-facility non-profit that provides behavioral health care services to children, adults, and families. ACMHS filed a breach report on March 2, 2012 "regarding a breach of unsecured electronic protected health information (e-PHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources."[1] Specifically, according to the OCR Press Release (with my emphasis):
OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.[2]
OCR notified ACMHS on June 2, 2012 that it would launching an investigation. According to the Resolution Agreement, the OCR found the following conduct problematic (with my emphasis):
  • From April 21, 2005, the compliance date of the Security Rule, until March12, 2012, ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by ACMHS;
  • From April 21, 2005, the compliance date of the Security Rule, until March12, 2012, ACMHS failed to implement policies and procedures requiring implementation of security measures sufficient to reduce risks and vulnerabilities to its e-PH to a reasonable and appropriate level; and
  • From January 1, 2008, until March 29, 2012, ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and out bound traffic and that information technology resources were both supported and regularly updated with available patches.
As is the usual course, each Resolution Agreement includes a Corrective Action Plan. ACMHS must take the following steps:

Revise and Distribute Policies and Procedures
ACMHS shall provide an updated version of its Security Rule Policies and Procedures, which were submitted to OCR on May 20, 2013, to HHS within sixty (60) days of the Effective Date for review and approval. Upon receiving any recommended changes to such policies and procedures from HHS, ACMHS shall have thirty (30) days to revise such policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval. . . . ACMHS shall distribute its revised Security Rule Policies and Procedures to all members of the workforce who use or disclose e-PHI concomitantly with general security awareness training . . .  [and] shall require, at the time of distribution of its Security Rule Policies and Procedures, and shall maintain for its files, a signed written or electronic initial compliance certification from all members of the workforce, stating that the workforce members have read, understand, and shall abide by the Security Rule Policies and Procedures.

Train Workforce Members.
. . .  ACMHS shall provide general security awareness training for each workforce member who uses or discloses e-PHI within sixty (60) days of HHS approval and at least every twelve(12) months thereafter . . . Each workforce member who is required to attend training shall certify, in electronic or written form, that he or she received the training.The training certification shall specify the date training was received. All course materials shall be retained . . . ACMHS shall review the training at least annually, and, where appropriate, update the training to reflectany changes in Federal law or HHS guidance, any issues discovered during audits or reviews, or any other relevant developments.

Undertake an Annual Risk Analysis

ACMHS shall annually, as required by ACMHS’ “IT Risk Management” policy and procedure, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by ACMHS and document the security measures ACMHS implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level.

For a chart summary of the OCR fines as well as other HIPAA related litigation, please see

[1] Resolution Agreement between HHS Office of Civil Rights and Anchorage Community Mental Health Services, Inc. (Dec. 2, 2014).

[2] Press Release, Office of Civil Rights (December 8, 2014), available at

Posted by: Tatiana Melnik on December 9
, 2014

November 2021

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)