Alaska Settles Breach Case for $1.7 million
Alaska’s Department of Health & Human Services (DHSS), the state’s Medicaid agency, will pay $1.7 million to the U.S. Department of Health & Human Services (HHS) after reporting a USB hard drive containing personal health information (PHI) was stolen from a state employee’s car. This is the first fine levied by the Office of Civil Rights (OCR) against a state agency.
Alaska will also implement a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. A monitor will report back to OCR regularly on the state’s ongoing compliance efforts.
“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez. “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
The Alaska penalty is being watched by officials in other states—especially in Utah, where a 780,000 record Medicaid data breach was discovered earlier this year. It is the second major breach for the Beehive State.