The University of Mississippi Medical Center entered into a $2.75 million penalty agreement with the Department of Health and Human Services Office for Civil Rights. HHS charged UMMC with multiple HIPAA violations stemming from their report of a loss of a laptop containing 328 files with PHI of about 10,000 patients.
In 2013, UMMC reported to HHS that a laptop was missing from the Center’s intensive care unit. It is likely that the laptop was stolen by a visitor. While the laptop was password protected, HHS determined that UMMC had breached the Security Rule. This is because PHI stored on a UMMC network drive was open to unauthorized access through UMMC’s wireless network due to the fact that users could use a generic username and password to access an active directory containing 67,000 files.
UMMC agreed to pay $2.75 million and implement a compliance plan including a review of its HIPAA privacy, security and breach notification practices.