A medical facility run by Idaho State University (ISU) has been fined $400,000 (£266,000) after thousands of patient records were left in an unprotected state when firewall monitoring was disabled.

According to the medical information commissioner, the US Department of Health Human Services (HHS), the records of 17,500 patients at the University’s 29 Pocatello Family Medicine Clinics were left unsecured for 10 months.

About half a dozen of the organisation’s clinics were subject to Health Insurance Portability and Accountability Act (HIPAA) rules, including the clinic at which the issue occurred, making it a notifiable incident.

The exact nature of the firewall issue was not specified in the HHS ruling but it mentioned more general problems with procedures dating back as far as 1 April 2007, some years before the breach was noticed in 2011.

The ISU had failed to carry out risk assessments on the sensitive data it held, the HHS said. It seems to have been the lack of systems within the organisation as a whole that compounded the breach on one site.

“Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said Leon Rodriguez of the HHS Office for Civil Rights (OCR).

“Proper security measures and policies help mitigate potential risk to patient information,” he said.