The University of Washington Medicine agreed to pay $750,000 to the Department of Health and Human Services to resolve an investigation into potential violations of the Health Insurance Portability and Accountability Act of 1996, also known as HIPPA.
The settlement agreement on Monday also includes a corrective action plan and calls for annual reports about the company’s compliance efforts to HHS. The settlement is not an admission of liability by the university and not a concession by the agency that the university did not violate the privacy, security or breach notification rules.
An Office of Civil Rights investigation found that the electronic protected health information of about 90,000 people was accessed after an employee downloaded an email attachment that contained malicious malware, according to HHS, which said that the investigation found that the institution did not ensure its affiliated entities were properly conducting risk assessments and responding accordingly, even though those affiliated entities were required to implement safeguards in compliance with the law.
The malware compromised the organization’s IT system and affected two groups of patients based on their names, medical records numbers and other information, HHS said.
“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” Jocelyn Samuels, Office of Civil Rights director at HHS, said in a statement.