• About Us
  • Events
  • Newsletter Sign Up
  • Spotlight Series
  • Webinars
  • WhitePapers
  • Videos
  • Podcasts
    1. Cybersecurity
    2. Privacy/Security

    Alaska Medicaid Pays $1.7 Million for Data Breach

    June 25, 2013
    The Alaska Department of Health and Social Services (DHSS) and the state Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Additionally, Alaska’s DHSS agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.

    The Alaska Department of Health and Social Services (DHSS) and the state Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Additionally, Alaska’s DHSS agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries. 

    The breach according to the Alaska DHSS was a stealing of a portable electronic storage device (USB hard drive) possibly containing ePHI from the vehicle of a DHSS employee.  Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI. The investigation initially began when the HHS Office for Civil Rights (OCR) after a breach report was submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

    The evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.

     “Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” OCR director Leon Rodriguez said in a statement.  “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

    OCR enforces the HIPAA Privacy and Security Rules. The Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The Security Rule aims to protect health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.

    Continue Reading

    Sponsored Recommendations

    Enhancing Healthcare Through Strategic IT and AI Innovations

    Learn how strategic IT and AI innovations are transforming healthcare - join Tomas Gregorio as he explores practical applications that enhance clinical decision-making, optimize...

    The Intersection of Healthcare Compliance and Security in the Age of Deepfakes

    As healthcare regulations struggle to keep up with rapid advancements in AI-driven threats like deepfakes, the security gaps have never been more concerning.

    Increasing Healthcare Security Behind and Beyond the Firewall

    Read how 5 identity security solutions can help you protect against these threats while improving user experience and reducing costs.

    Improve and Secure Healthcare Delivery with Digital Identity

    Get a deep understanding of how Digital Identity can help secure your healthcare organization while offering seamless access to your growing portfolio of apps and APIs.