Sign in

Failure to Run a Thorough Risk Analysis Gets Costly

By: Lisa Marlin

July 24, 2022

It’s risky to take shortcuts in your risk analysis. In fact, it could cost you hundreds of thousands of dollars when a breach occurs, not to mention your credibility. The experts at PrivaPlan can help ensure that won’t happen. But first, let’s take a look at a recent organization that hadn’t conducted an accurate and thorough risk analysis which then gave a hacker access to its web server. This breach occurred six years ago; this year a big fine was enforced.

Oklahoma State University – Center for Health Sciences (OSU-CHS) paid $875,000 to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) and agreed to implement a corrective action plan to settle potential violations of the HIPAA) Privacy, Security, and Breach Notification Rules. The resolution and corrective agreement can be found here.

What went wrong

An unauthorized third party gained access to a web server that contained electronic protected health information (ePHI). The hacker then installed malware that resulted in the disclosure of the ePHI of 279,865 individuals, including their names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially reported that the breach occurred in 2017, but later reported that the ePHI was first impermissibly disclosed in 2016.

What potential HIPAA violations were found?

  • impermissible uses and disclosures of PHI
  • failure to conduct an accurate and thorough risk analysis
  • failure to perform an evaluation
  • failures to implement audit controls, security incident response and reporting
  • failure to provide timely breach notification to affected individuals and HHS

“HIPAA covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”

What can you do?

First, read Pino’s quote again, focusing on the bolded line especially. Then review your risk analysis protocol to ensure it is accurate, thorough, and up to date. Don’t guess. Know. We can take the guesswork out of it for you. With years of experience conducting HIPAA Security Risk Analyses and other service solutions, PrivaPlan stands behind our work and in front of yours to ensure patient data is protected and hackers aren’t.

For more information, contact us at or call 877-218-7707.