e-mail Print Share

Mississippi hospital agrees to $2.75 million settlement

August 16, 2016 Washington — The University of Mississippi Medical Center has agreed to pay $2.75 million to settle multiple alleged Health Insurance Portability and Accountability Act violations.

According to the U.S. Department of Health and Human Services Office for Civil Rights, its investigation followed UMMC's report of a stolen laptop. The investigation revealed that information stored on a UMMC network drive was "vulnerable to unauthorized access" via the hospital's wireless network because users could access a directory that included 328 files containing the electronic protected health information of some 10,000 patients dating back to 2008.

OCR said the hospital was "aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight."

OCR said the investigation also revealed that UMMC failed to:  

  • Implement appropriate policies and procedures to prevent, detect, contain and correct security violations.
  • Implement physical safeguards for all workstations that access electronic protected health information to restrict access to authorized users.
  • Assign a unique user name and/or number for identifying and tracking user identity in information systems containing electronic protected health information.
  • Notify each individual whose unsecured electronic protected health information was reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach.
In addition to the settlement, the University of Mississippi Medical Center will adopt a corrective action plan to help assure future HIPAA compliance.

For more information, visit OCR's website.