Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This settlement involves the breach of unsecured electronic protected health information (ePHI) of 17,500 individuals who were patients at an ISU clinic.
The Office for Civil Rights (OCR) opened its investigation after ISU notified HHS that the ePHI of approximately 17,500 individuals was accessible at its Pocatello Family Medicine Clinic because an ISU server firewall was disabled. OCR investigators found that ISU did not apply proper security measures and policies to address risks to ePHI and did not have in place procedures for routine review of information system activity which could have detected the breach in the firewall much sooner. Overall, ISU failed to ensure the uniform implementation of required Security Rule protections at each of its covered clinics.
The Press Release can be found on the HHS News page:
and the Resolution Agreement can be found on the OCR website at: