HIPAA fines from unpatched and unsupported software

Featured image

Share this article

The Department of Health and Human Services recently issued a $150,000 fine to Anchorage Community Mental Health Services (ACMHS) for HIPAA security violations. What’s noteworthy about this fine is that the covered entity did not keep up with security patches and ran outdated, unsupported software on its network.

The HHS Office of Civil Rights OCR opened an investigation back in 2012 after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI). They reported 2,743 individuals had been affected due to malware compromising the security of its information technology resources.

Desktop Computer Breached via Malware

HHS has a database you can search for any breach that affects more than 500 individuals so we checked there to see if we could find more information on this breach. We discovered the breach date ran for 15 days from 20 December 2011 until 4 Jan 2012. We also found out a single desktop computer was infected with malware. This leads me to believe the malware infection occurred either via email or from browsing a malware site. Quite possibly both occurred: a user got a forged email, they clicked a link, got directed to a malware site and then either malware was instantly installed in the background or they mistakenly entered their login information.

Computers Ran Unpatched and Outdated Software

As it often happens, once the OCR began its investigation, they found other HIPAA compliance violations. In this case, they found that while ACMHS had adopted sample Security Rule policies and procedures in 2005, they were not followed. In addition, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software. If I had to make an educated guess, it sounds like the infected desktop was running Windows XP, it had an outdated version of Internet Explorer and it was immediately compromised once the user used it to mistakenly visit a malware site.

Related Article: HIPAA Privacy Violations Include Stolen Office Computers

In addition to the $150,000 settlement, Anchorage Community Mental Health Services will also be required to implement a corrective action plan and report to OCR on its compliance program for two years.

HIPAA Security Risk Assessment Tool

HIPAA Security Risk Assessment Tool - PauboxDid you know HHS offers a free HIPAA Security Risk Assessment Tool? The tool is available here and you can use it to conduct reviews of the the administrative, physical and technical safeguards you have in place for HIPAA compliance.

Related Article: HIPAA Violations Outpace Oil, Congress and Dow Jones

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022