HIPAA Settlement with Anchorage Community Mental Health Services

HIPAA Settlement with Anchorage Community Mental Health Services

by Bevon Findley (SU)

PRESS RELEASE

December 2014
U.S. Department of Health and Human Services
Office for Civil Rights


HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software

ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. ACMHS is a five-facility, nonprofit organization providing behavioral health care services to children, adults, and families in Anchorage, Alaska.

OCR opened an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” said OCR Director Jocelyn Samuels. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

ACMHS cooperated with OCR throughout its investigation and has been responsive to technical assistance provided to date. In addition to the $150,000 settlement amount, the agreement includes a corrective action plan and requires ACMHS to report on the state of its compliance to OCR for a two-year period.