State of Alaska Fined $1.7 Million for Security Breach
Alaska's Department of Health and Social Services (DHSS) recently agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle possible HIPAA violations related to the 2009 theft of a USB hard drive containing 501 people's electronic personal health information (ePHI) from a DHSS employee's vehicle.
The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI. Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.