The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Bryan County Ambulance Authority (BCAA), a provider of emergency medical services in Oklahoma for a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an investigation concerning a ransomware attack on BCAA’s information systems. Ransomware and hacking are the primary cyberthreats in healthcare. Since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks. The settlement also marks the first enforcement action in OCR’s Risk Analysis Initiative. This enforcement initiative was created to focus select investigations on compliance with the HIPAA Security Rule Risk Analysis provision, a key Security Rule requirement, and the foundation for effective cybersecurity and the protection of electronic protected health information (ePHI).
