Federal regulators have hit the University of Washington Medicine with a $750,000 penalty and a corrective action plan as part of a HIPAA settlement after a 2013 malware-related breach affecting 90,000 individuals. It's the first such resolution agreement stemming from the investigation of a phishing incident.
The settlement with UWM is the sixth HIPAA resolution agreement that the Department of Health and Human Services' Office for Civil Rights has announced so far in 2015 and the third in recent weeks. Penalties levied by OCR in the six resolution agreements in 2015 total about $6 million. Since 2008, OCR has announced 28 resolution agreements and one case involving a civil monetary penalty.
In a statement, UWM says the email incident was limited to the information on a single employee's computer. "The malware attack occurred in October 2013 when an employee opened an email link to review a document. The malware provided potential access to contact and other information needed for billing patients that was stored in files on the employee's desktop computer," UWM says. "When the potential breach was discovered, UWM notified the FBI and the OCR."
The agreement with University of Washington Medicine, stemming from a phishing incident, is significant because "it serves as notice of the role that social engineering [awareness] exercises and training workforce members on the threats posed by malware hidden in emails can play in preventing catastrophic infiltration of an enterprise information system," says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. Full story at HealthcareInfoSecurity.
The upshot, one employee opening an infected attachment costs 750K in HIPAA fines. That could have been prevented with effective security awareness training. Find out how affordable that is for your organization and be pleasantly surprised.