- Key Takeaways
- Anchorage Community Mental Health Service paid a $150,000 HIPAA settlement after a malware breach affected 2,743 individuals — the root cause was failure to patch systems and running unsupported software for years.
- The organization had adopted HIPAA security policies but employees did not follow them for seven years — written policies without enforcement provide no actual HIPAA protection against breach liability.
- Failing to patch systems and update software is one of the most cited causes of healthcare data breaches — outdated software creates known vulnerabilities that malware exploits without requiring any user error.
- A HIPAA risk management plan must include technical, physical, and administrative safeguards — organizations that implement only one category leave two vectors of breach exposure entirely unaddressed.
- Organizations operating on unsupported software versions face heightened breach risk because known vulnerabilities in end -of-life software are actively targeted and no longer receive security patches from vendors.
Why you should protect your company's data
This is Lucy
She works for Anchorage Community Mental Health Service that was just a part of a $150K HIPAA breach.
The cause?
The organization failed to patch their systems and continued to run outdated, unsupported software that eventually led to a malware data breach affecting 2,743 individuals.
How did this happen exactly?
Officials discovered that Anchorage Community Mental Health Service had adopted HIPAA security policies and procedures. Still, they were not followed by the organization’s employees for a seven-year period, from 2005 to 2012.
The organization neglected to update IT resources with system patches and updated software.
In addition to the $150,000 settlement, Anchorage Community Mental Health Services will also be required to implement a corrective action plan and subsequently report to the Office for Civil Rights on its compliance program.
Why you should protect your company's data
What could have been done to prevent this error?
Taking better measures to protect and safeguard administration is key. It’s imperative to always follow HIPAA rules and make sure you have a risk management plan.
Making sure you’re engaged in comprehensive risk analysis and risk management to ensure that individuals’ electronic protected health information is secure.
A risk management plan needs to include not only technical but also physical and administrative measures.
What are the best practices in doing so? How should we get started in making sure we are HIPAA compliant?
Every Covered Entity and Business Associate that has access to PHI must ensure the technical, physical and administrative safeguards are in place and adhered to, that they comply with the HIPAA Privacy Rule in order to protect the integrity of PHI, and that – should a breach of PHI occur – they follow the procedure in the HIPAA Breach Notification Rule.
Why you should protect your company's data
Neolytix is your answer in making sure your practice is HIPAA compliant. We can help in assessing your current practice policies, identify gaps, and put safeguards in place to help you achieve HIPAA Compliance. We can also help conduct HIPAA Assessments and Audits for your practice.
Make sure your practice meets HIPAA compliance standards.
Give Neolytix a call or email to understand how to fully protect your medical practice today!
- Neolytix • Contact Us
Schedule a Consultation
Neolytix partners with healthcare organizations across revenue cycle, credentialing, and administrative operations ,14+ years of expertise and AI-enabled automation to reduce inefficiencies and drive sustainable growth.
