The Idaho State University (ISU) operates 29 outpatient clinics where it is responsible for securing health information technology systems.
The university has agreed to pay a $400,000 (€306,000) fine to the US Department of Heath Human Services (HHS) after exposing the details of around 17,500 patients of the Pocatello Family Medicine Clinic, one of the clinics it operates.
According to the HHS, ISU exposed the patient records for at least 10 months by disabling firewall protections at servers they maintained.
“[The HHS Office for Civil Rights (OCR)] investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring,” reads a press release from the HHS.
“OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.”
Besides paying the fine, ISU has also agreed to take measures to address the issues uncovered during OCR’s investigation.