Anchorage Community Mental Health Services (ACMHS) entered a $150,000 settlement with the Office of Civil Rights (OCR) to resolve potential HIPAA Security Rule violations. ACMHS reported a breach involving 2,743 patients.
Upon investigating, the OCR found:
- The breach was caused by malware.
- ACMHS adopted "sample" HIPAA Security policies and procedures in 2005 - but did not follow them.
- ACMHS did not regularly conduct software updates with patches.
- ACMHS used outdated, unsupported software.
OCR Director Jocelyn Samuels stated: “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis... This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”