University fined $400,000 after disabled firewall put medical records at risk

Left unprotected for 10 months

A medical facility run by Idaho State University (ISU) has been fined $400,000 (£266,000) after thousands of patient records were left in an unprotected state when firewall monitoring was disabled.

According to the medical information commissioner, the US Department of Health Human Services (HHS), the records of 17,500 patients at the University's 29 Pocatello Family Medicine Clinics were left unsecured for 10 months.

About half a dozen of the organisation's clinics were subject to Health Insurance Portability and Accountability Act (HIPAA) rules, including the clinic at which the issue occurred, making it a notifiable incident.

The exact nature of the firewall issue was not specified in the HHS ruling but it mentioned more general problems with procedures dating back as far as 1 April 2007, some years before the breach was noticed in 2011.

The ISU had failed to carry out risk assessments on the sensitive data it held, the HHS said. It seems to have been the lack of systems within the organisation as a whole that compounded the breach on one site.

"Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program," said Leon Rodriguez of the HHS Office for Civil Rights (OCR).

"Proper security measures and policies help mitigate potential risk to patient information," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechsecurityDepartment of Health

More about Department of Health

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

More videos

Blog Posts