The University of Mississippi Medical Center will pay a penalty of $2.75 million as part of an agreement to settle multiple alleged violations that include failing to execute proper security measures after a UMMC laptop computer that stored confidential personal health information of about 10,000 individuals went missing in March 2013.
UMMC made the announcement Friday in a news release, but the medical center and the Office for Civil Rights of the U.S. Department of Health and Human Services came to an agreement on the issue on July 7.
The laptop was likely stolen by a hospital visitor, according to an Office for Civil Rights statement. Its users could access an active directory containing 67,000 files after entering a generic username and password. The directory included 328 files containing the information of an estimated 10,000 patients dating back to 2008, the statement said.
UMMC says there is no evidence to show its patients’ health information was accessed or disclosed.
“In the intervening three-plus years, no one who was a former patient has come forward to notify us that their personal health information was compromised,” UMMC spokesman Tom Fortner said in an email response to Mississippi Today.
While UMMC notified the public of the potential information breach on its website and sent out a news release to media outlets, the medical center did not notify each individual whose information could have been accessed from the laptop.
“We did not feel like we had adequate contact information for the individuals affected — or even a way to develop a reliable list — to make individual contact,” Fortner said. “So, as required by the (Health Insurance Portability and Accountability Act) regulation in such situations, we posted information about the breach on our website for 90 days and provided information about the breach to the news media.”
The penalty money will come from its health-care operations revenue, UMMC said.
As part of the settlement, UMMC is to launch a corrective action plan over the next three years, which will include updating its information security policy to say UMMC will notify each individual potentially affected by a breach.
“Our patients can rely on the fact that we have made crucial improvements in our processes and procedures, and improvements since this incident occurred,” Fortner said. “Our staff are committed to protecting the privacy of our patients as part of their ethical duty.”
Calls and messages to a U.S. Department of Health and Human Services spokesperson were not returned Friday.
Under the terms of the agreement, UMMC is not admitting liability and the agreement does not mean the medical center is not in violation.
Republish this article
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
- Look for the "Republish This Story" button underneath each story. To republish online, simply click the button, copy the html code and paste into your Content Management System (CMS).
- Editorial cartoons and photo essays are not included under the Creative Commons license and therefore do not have the "Republish This Story" button option. To learn more about our cartoon syndication services, click here.
- You can’t edit our stories, except to reflect relative changes in time, location and editorial style.
- You can’t sell or syndicate our stories.
- Any web site our stories appear on must include a contact for your organization.
- If you share our stories on social media, please tag us in your posts using @MSTODAYnews on Facebook and @MSTODAYnews on Twitter.
- You have to credit Mississippi Today. We prefer “Author Name, Mississippi Today” in the byline. If you’re not able to add the byline, please include a line at the top of the story that reads: “This story was originally published by Mississippi Today” and include our website, mississippitoday.org.
- You can’t edit our stories, except to reflect relative changes in time, location and editorial style.
- You cannot republish our editorial cartoons, photographs, illustrations or graphics without specific permission (contact our managing editor Kayleigh Skinner for more information). To learn more about our cartoon syndication services, click here.
- Our stories may appear on pages with ads, but not ads specifically sold against our stories.
- You can’t sell or syndicate our stories.
- You can only publish select stories individually — not as a collection.
- Any web site our stories appear on must include a contact for your organization.
- If you share our stories on social media, please tag us in your posts using @MSTODAYnews on Facebook and @MSTODAYnews on Twitter.
Here’s the most troubling sentence from the Office of Civil Rights (HHS) press release: “During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.”