The University of Washington Medicine (“UWM”) has agreed to settle the investigation conducted by the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) of potential HIPAA violations arising from a 2013 malware attack on the organization that put around 90,000 individuals’ electronic protected health information (“e-PHI”) at risk.  The settlement includes UWM’s institution of a corrective action plan, annual reporting on UWM’s compliance efforts, and a $750,000 monetary payment. 

The agreement was announced by HHS on December 14, 2015.

UWM is the primary teaching hospital of the University of Washington School of Medicine.  As an “affiliated covered entity,” as defined by HIPAA, it is required to have in place policies and procedures to ensure HIPAA compliance, including “to prevent, detect, contain and correct security violations.”

The malicious malware that put the UWM patients’ information at risk was downloaded onto a UWM administrative computer by an employee who clicked on an email attachment.  The information of two groups of patients was compromised―one involving a combination of patient names, medical record numbers, dates of service, and billing information; the other involving names, medical record numbers, and other demographic information such as dates of birth, phone numbers, addresses, social security numbers, and insurance and billing information. 

UWM notified OCR of the breach in November 2013, and an investigation was opened the following month.  The OCR investigation concluded that UWM “failed to implement policies and procedures to prevent, detect, contain, and correct security violations.”  Specifically, OCR found that UWM “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI.”

A copy of the Resolution Agreement and Corrective Action Plan is available by clicking here.  

HHS offers guidance on how organizations can conduct a risk assessment in compliance with the HIPAA Security Rule, which can be found by clicking here.