Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider
On December 8, 2014, the Office of Civil Rights (OCR) announced a settlement with the Anchorage Community Mental Health Services (ACMHS) involving allegations of violations of the HIPAA Security Rule. Under the Resolution Agreement, ACMHS will pay $150,000 to settle  the investigation.

A few preliminary comments.... This settlement is a good reminder that healthcare organizations and providers must put appropriate technical controls in place and review their policies and procedures on a regular basis. Organizations must ensure that their information technology systems contain the latest patches, that they have both inbound and outbound firewalls, and that they are using current software. Using current software may be particularly problematic, however, where certain functionality only works on certain version of a particular software. For example, some lab systems only work on Windows XP. In such instances, organizations must take appropriate steps to mitigate risks.

Additionally, data breaches (or potential data breaches) caused by malware or other similar malicious software are reportable to the Office of Civil Rights.

Interestingly, the OCR appears to be following in the footsteps of the SEC and requiring ownership or officer attestation. As part of the remediation plan, OCR is requiring an "attestation signed by an owner or officer of ACMHS attesting that all information system resources are currently supported and updated with available patches."

ACMHS is an Anchorage, Alaska based five-facility non-profit that provides behavioral health care services to children, adults, and families. ACMHS filed a breach report on March 2, 2012 "regarding a breach of unsecured electronic protected health information (e-PHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources."[1] Specifically, according to the OCR Press Release (with my emphasis):
OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.[2]
OCR notified ACMHS on June 2, 2012 that it would launching an investigation. According to the Resolution Agreement, the OCR found the following conduct problematic (with my emphasis):
  • From April 21, 2005, the compliance date of the Security Rule, until March12, 2012, ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by ACMHS;
  • From April 21, 2005, the compliance date of the Security Rule, until March12, 2012, ACMHS failed to implement policies and procedures requiring implementation of security measures sufficient to reduce risks and vulnerabilities to its e-PH to a reasonable and appropriate level; and
  • From January 1, 2008, until March 29, 2012, ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and out bound traffic and that information technology resources were both supported and regularly updated with available patches.
As is the usual course, each Resolution Agreement includes a Corrective Action Plan. ACMHS must take the following steps:

Revise and Distribute Policies and Procedures
ACMHS shall provide an updated version of its Security Rule Policies and Procedures, which were submitted to OCR on May 20, 2013, to HHS within sixty (60) days of the Effective Date for review and approval. Upon receiving any recommended changes to such policies and procedures from HHS, ACMHS shall have thirty (30) days to revise such policies and procedures accordingly and provide the revised policies and procedures to HHS for review and approval. . . . ACMHS shall distribute its revised Security Rule Policies and Procedures to all members of the workforce who use or disclose e-PHI concomitantly with general security awareness training . . .  [and] shall require, at the time of distribution of its Security Rule Policies and Procedures, and shall maintain for its files, a signed written or electronic initial compliance certification from all members of the workforce, stating that the workforce members have read, understand, and shall abide by the Security Rule Policies and Procedures.

Train Workforce Members.
. . .  ACMHS shall provide general security awareness training for each workforce member who uses or discloses e-PHI within sixty (60) days of HHS approval and at least every twelve(12) months thereafter . . . Each workforce member who is required to attend training shall certify, in electronic or written form, that he or she received the training.The training certification shall specify the date training was received. All course materials shall be retained . . . ACMHS shall review the training at least annually, and, where appropriate, update the training to reflectany changes in Federal law or HHS guidance, any issues discovered during audits or reviews, or any other relevant developments.

Undertake an Annual Risk Analysis

ACMHS shall annually, as required by ACMHS’ “IT Risk Management” policy and procedure, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by ACMHS and document the security measures ACMHS implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level.

For a chart summary of the OCR fines as well as other HIPAA related litigation, please see https://melniklegal.com/list_of_HIPAA_fines_and_penalties.html.

---------------------
[1] Resolution Agreement between HHS Office of Civil Rights and Anchorage Community Mental Health Services, Inc. (Dec. 2, 2014).

[2] Press Release, Office of Civil Rights (December 8, 2014), available at https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/index.html.
---------------------

Posted by: Tatiana Melnik on December 9
, 2014