$1.7 Million HIPAA Violation.
The OCR reached a $1.7 million settlement with the Alaska Department of Health and Social Services (“DHSS”) for HIPAA violations. The matter had its genesis in a USB drive – which possibly contained electronic protected health information of Medicaid recipients – which was stolen from a DHSS employee’s car. DHSS had reported this stolen USB to OCR as a HIPAA Breach, which lead to an OCR investigation. During the course of this investigation, the OCR discovered that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, or implemented device and media controls/encryption as required by the HIPAA Security Rule.