From HHS, a bulletin concerning a settlement following a malware incident in 2011 that might have been avoided had the covered entity updated and patched their software: Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. ACMHS is a five-facility, nonprofit organization providing behavioral health care services to children, adults, and families in Anchorage, Alaska.
Source: HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software
Related: Resolution Agreement (PDF)