State of Alaska Fined $1.7 Million for Security Breach
In addition to paying the fine, the state's Department of Health and Social Services has agreed to improve its security practices.
Alaska's Department of Health and Social Services (DHSS) recently agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle possible HIPAA violations related to the 2009 theft of a USB hard drive containing 501 people's electronic personal health information (ePHI) from a DHSS employee's vehicle.
"In this case, the hefty settlement price tag was not based on the number of victims, but by the Alaska agency's apparently shoddy information security practices it had in place," writes SC Magazine's Dan Kaplan. "Health care security regulators said that based on an investigation, which included an on-site visit, DHSS failed to conduct a risk analysis, deploy adequate risk management practices, complete security awareness training of its employees or implement measures to control and secure its devices."
"In addition to paying damages in the settlement, DHSS also has agreed to ramp up security on its electronically-protected health information and implement practices including risk management and security training," writes FierceHealthcare's Allison Floyd.
"Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices," Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), said in a statement. "This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities."
"Whatever type of sensitive information your organization gathers, the easiest way to ensure it isn't stolen, leaked by hackers or accidentally discovered on an old USB key is to protect the information from the beginning," writes Sophos' Chester Wisniewski. "Rather than worry about whether something is a mobile device or removable drive, encrypt it anyway. Base your decisions of what the information is, rather than where it is. You never know where the data may end up in the end and the job is a lot easier if you protect it based on what, not where."