According to the Department of Health and Human Services (HHS), Idaho State University has agreed to pay them $400,000 for violations of the HIPAA Security rule. The settlement was reached after 17,500 patients of an ISU clinic’s health records were compromised. You can read more about it here.
The Office for Civil Rights (OCR) opened investigations after ISU notified the HHS that their server firewall was disabled. Through their investigation, the OCR found that ISU did not apply proper security measures and policies all of which could have been avoided by consulting with a HIPAA security consultant and by executing routine HIPAA security audits.
This isn’t the first time a well known University has been penalized for a health data breach, we wrote about Indiana University and their breach in another post that you can find here.