The Office for Civil Rights (OCR) announced on Monday, December 14, 2014, that it has settled a HIPAA investigation with the University of Washington Medical School involving a data breach in October of 2013.

The breach occurred when an employee in the billing office clicked on an email attachment that contained malware and exposed 90,000 patients’ personal information, including 76,000 patient names, medical records and account balances, and 15,000 patients’ Social Security numbers, telephone numbers and dates of birth.

In addition to paying the hefty fine, the medical school has agreed to conduct annual risk analyses and report to OCR its risk management plans for the next two years.

We have seen an increase in employees exposing systems to malware through clicking on attachments or website links from work stations. This case illustrates again how important it is to keep your employees aware of the latest risks that can affect your system and how with one click, they can expose high risk data with dire consequences.