The University of Mississippi Medical Center will pay a penalty of $2.75 million as part of an agreement to settle multiple alleged violations that include failing to execute proper security measures after a UMMC laptop computer that stored confidential personal health information of about 10,000 individuals went missing in March 2013.
UMMC made the announcement Friday in a news release, but the medical center and the Office for Civil Rights of the U.S. Department of Health and Human Services came to an agreement on the issue on July 7.
The laptop was likely stolen by a hospital visitor, according to an Office for Civil Rights statement. Its users could access an active directory containing 67,000 files after entering a generic username and password. The directory included 328 files containing the information of an estimated 10,000 patients dating back to 2008, the statement said.
UMMC says there is no evidence to show its patients’ health information was accessed or disclosed.
“In the intervening three-plus years, no one who was a former patient has come forward to notify us that their personal health information was compromised,” UMMC spokesman Tom Fortner said in an email response to Mississippi Today.
While UMMC notified the public of the potential information breach on its website and sent out a news release to media outlets, the medical center did not notify each individual whose information could have been accessed from the laptop.
“We did not feel like we had adequate contact information for the individuals affected — or even a way to develop a reliable list — to make individual contact,” Fortner said. “So, as required by the (Health Insurance Portability and Accountability Act) regulation in such situations, we posted information about the breach on our website for 90 days and provided information about the breach to the news media.”
The penalty money will come from its health-care operations revenue, UMMC said.
As part of the settlement, UMMC is to launch a corrective action plan over the next three years, which will include updating its information security policy to say UMMC will notify each individual potentially affected by a breach.
“Our patients can rely on the fact that we have made crucial improvements in our processes and procedures, and improvements since this incident occurred,” Fortner said. “Our staff are committed to protecting the privacy of our patients as part of their ethical duty.”
Calls and messages to a U.S. Department of Health and Human Services spokesperson were not returned Friday.
Under the terms of the agreement, UMMC is not admitting liability and the agreement does not mean the medical center is not in violation.
Republish our articles for free, online or in print, under a Creative Commons license.
Here’s the most troubling sentence from the Office of Civil Rights (HHS) press release: “During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.”