Oregon university pays $2.7 million to settle possible HIPAA violations
July 26, 2016
Portland, Ore. — Oregon Health & Science University will pay the federal government $2.7 million to settle potential violations of the Health Insurance Portability and Accountability Act.
The U.S. Department of Health and Human Services Office for Civil Rights began investigating the university after it submitted multiple breach reports that affected thousands of individuals, including two involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive, according to a news release. The investigation uncovered "evidence of widespread vulnerabilities within OHSU's HIPAA compliance program, including the storage of the electronic protected health information of over 3,000 individuals on a cloud-based server without a business associate agreement.
The Office for Civil Rights found "significant risk of harm" to 1,361 of the individuals because of the sensitive nature of their diagnoses, the news release stated. The server stored credit card and payment information, diagnoses, procedures, photos, driver's license numbers and Social Security numbers.
OHSU is a large public academic health center and research university centered in Portland, Oregon, comprising two hospitals, and multiple general and specialty clinics throughout Portland and throughout the State of Oregon.