Anchorage Community Mental Health Services (ACMHS) to $150,000 for HIPAA violation due to the Vulnerability of Unpatched and Unsupported Software

The Anchorage Community Mental Health Services (ACMHS) Organization has been fined for their violations of the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA). The total fines ACMHS have been ordered to pay equal $150,000. They will have to undertake a plan to correct all areas that are lacking in the HIPAA Security Rule compliance requirements. The organization, located in Anchorage, Alaska, provides behavioral health care services to clients of all ages.

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) was required to open an investigation on the ACMHS when they were advised about a breach in the IT security systems that put the electronic protected health information of 2,743 patients at risk. It was discovered that the systems had been highly compromised by malware. The OCR discovered that while ACHMS had adopted HIPAA security measures in 2005, they had not continued to follow them. Furthermore, their information technology security software was extremely out of date, which allowed the PHI to be compromised in the first place.

Jocelyn Samuels, director of OCR, stressed that complying with HIPAA requirements “… includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

The OCR has set new requirements for ACMHS in reports on their HIPAA compliance for two years as well as the $150,000 fine and the new requirements to bring their IT systems up to date. Overall ACMHS has cooperated with the OCR during the investigation. The Resolution Agreement can be found at here.