Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University

Oregon Health & Science University (OHSU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following an investigation by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) that found widespread and diverse problems at OHSU, which will be addressed through a comprehensive three-year corrective action plan.  The settlement includes a monetary payment by OHSU to the Department for $2,700,000.   

OCR’s investigation began after OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive.  These incidents each garnered significant local and national press coverage. OCR’s investigation uncovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program, including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement.  OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses. The server stored a variety of ePHI including credit card and payment information, diagnoses, procedures, photos, driver’s license numbers and Social Security numbers. 

To continue reading this article…

Start your monthly or annual subscription to HIT Leaders & News today!

A monthly Standard subscription to all our regular news articles costs only $12.00 per month, or $144.00 for an annual Standard subscription.

Already a subscriber? Log in


Department of Health and Human Services, electronic protected health information, ePHI, Government Perspectives, HHS, HIPPA, OHSU, Oregon Health & Science University


Please follow and ‘Like’ us


©2021 HIT Leaders and News, a GO Digital Media publication. All rights reserved.