Oklahoma State University – Center for Health Services Forks Over $875,000 to Settle Hacking Breach

July 15, 2022

What did the duck say when she went to buy lipstick? Put it on my bill! Speaking of bills (the money kind, not a beak), Oklahoma State University had to pay a huge bill of $875,000! It acts as a settlement for a huge hacking breach of the OSU CHS web servers. Oklahoma State University has agreed to pay the price and complete a corrective action plan over the next two years to resolve all of the violations of the Breach Notification Rules, Security, and HIPAA Privacy.

OCR received a breach report in 2018 due to the hacking of the OSU’s web servers. They discovered that the hacker of this breach had access to 279,865 individuals’ electronic protected health information (ePHI). OSU found that the hackers had access to patients ePHI earlier than they originally thought, on March 9th, 2016.

OCR Director, Lisa J. Pino, states, “HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems.” 

As technology in the healthcare business evolves, it is critical to understand how to appropriately secure personal health information (PHI) when being stored or sent. With cybersecurity dangers on the rise and electronic communication becoming more widespread, it’s imperative to secure your patients’ data. Encryption services are an excellent method to safeguard your practice and avoid those sticky HIPAA violations. Good news for you, you don’t have to be a sitting duck! (Cough, Abyde.) 

The OCR reported that OSU failed to follow the HIPAA rules by:

  • Impermissible disclosure of the ePHI of 279,865 individuals
  • Failure to complete a risk analysis prior to and following the breach 
  • Failure to implement audit controls
  • Failure to maintain the proper security measures to protect PHI and reduce further risks

Unfortunately for the Cowboys, their failure to maintain proper security, risk analysis measures, and documentation of compliance cost them a large fine and put all of the OSU patients ePHI at risk. This breach, and corresponding financial settlement, highlight that even for huge organizations like OSU, the right risk analysis practices and HIPAA-compliant policies are a must in order to prevent impermissible safeguarding or access to ePHI. 

Even as an independent practice, you may not feel like you have anything in common with a big fish like OSU. No matter if you’re a duck, fish, or cowboy, it doesn’t matter – everyone is monitored and at risk. As the penalties for these violations become more severe, it is more crucial than ever to ensure that your practice has a solid HIPAA program in place.