• News New Blog Banner

  • Malware Infection Results in $150,000 HIPAA Fine

    Malware on a personal computer is troubling enough, but when it comes to computers used by health care providers, the viruses can result in federal fines for patient privacy violations.

    According to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), this was a lesson recently learned by Anchorage Community Mental Health Services (ACMHS), which was fined $150,000 for not preventing malware from infecting its computers. The malicious programming breached the protected electronic health information of 2,743 individuals in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

    According to an OCR news release, ACMHS adopted HHS security rule policies in 2005 but never followed them. The introduction of the malware into the ACMHS system was "the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software," according to an HHS/OCR bulletin (.pdf).

    In addition to the $150,000 settlement amount, the resolution agreement (.pdf) between ACMHS and OCR includes a corrective action plan and requires ACMHS to report on the state of its compliance to OCR for a 2-year period.

    OCR and the Office of the National Coordinator for Health Information Technology offer a Security Rule Risk Assessment Tool to help organizations conduct regular security reviews.

    HIPAA rules can be complex, but the consequences of not understanding them can be serious. APTA provides resources on compliance on APTA's HIPAA webpage. Also, read about securing information specifically on mobile devices in the December/January issue of PT in Motion magazine (member login required).


    • More HIPAA fines for non-compliance and it's not surprising. I would just add that breaches of Protected Health Information (PHI) will continue to happen until both Covered Entities and Business Associates get serious about putting in place the necessary controls for ensuring the safety and security of PHI. It means developing comprehensive HIPAA policies and procedures, undertaking annual security awareness training and risk assessments, and many other critical activities. Sure, budgets are tight and margins are thin in today’s competitive business landscape, but what business do you have if PHI is breached and seriously compromised? I think most companies truly want to do all they can in protecting PHI and becoming HIPAA compliant, but it just seems overwhelming at first because of the massive amount of policies, procedures, and processes that need to be in place. My advice; take a deep breath, find an experienced HIPAA consultant, get a hold of some quality HIPAA policy templates and begin the process. You’ll get there!

      Posted by Heather McFarland on 12/12/2014 7:55 AM

    • It is mainly discussing regarding the result of the malware infection in $150,000 HIPAA Fine. All the developer of the technologists must have a proper idea regarding such result of malware software.

      Posted by Dell tech support on 8/13/2018 5:26 PM

    • malware is basically the malicious files which can harm our computers and laptops. there are lots of malware removal tools which helps in this purpose.

      Posted by mcafee customer service on 8/16/2018 6:12 PM

    • That's a huge fine. It might have caused an impact

      Posted by Peter Smith on 7/8/2019 1:07 PM

    Leave a comment
    Name *
    Email *