2016 Breach Costs OK State Medical Center $875K; System Initially Missed Vulnerability | Health Care Compliance Association (HCCA)

Report on Patient Privacy 22, no. 8 (August, 2022)

Oklahoma State University Center for Health Sciences’ (OSUCHS) breach might not have seemed all that serious at the time: No data is believed to have been misused, credit monitoring services were not offered and—another rarity—OSUCHS was never the subject of a class-action suit.

Yet last month, OUSUCHS found itself on the receiving end of a settlement with the HHS Office for Civil Rights (OCR) for alleged HIPAA violations, paying $875,000 and agreeing to an extensive, two-year corrective action plan (CAP) that includes the little-employed requirement to appoint an “independent” monitor to oversee those efforts.[1]

An OSUCHS spokesperson told RPP the settlement was the product of lengthy negotiations with OCR.

This is the second recent agreement involving an academic health system. A day after the OSUCHS announcement, OCR said it had reached 11 additional agreements related to covered entities not providing patients access to their medical records—bringing the total settlements under this initiative to 38.[2] Among them was Memorial Hermann Health System, which paid $200,000 related to two patients who lodged access complaints with OCR.

OCR said on July 14 its investigation found that OSUCHS violated the Privacy, Security and Breach Notification rules.[3]

[View source.]