Alaska's Medicaid program has agreed to pay OCR $1.7 million over potential HIPAA Security Rule violations, OCR announced in a June 26 press release. The settlement marks the second largest to date for HIPAA violations, behind CVS Caremark's $2.25 agreement in 2009. It also marks OCR's first enforcement action against a state agency. OCR reported that Alaska's Department of Health and Social Services (DHSS), the state Medicaid agency, did not have adequate policies and procedures in place to safeguard PHI when a USB hard drive was stolen from an employee's vehicle.