The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $90,000 settlement with Virtual Private Network Solutions, LLC (VPN Solutions), a Virginia business associate that provides data hosting and cloud services to covered entities (health plans, health care clearinghouses, and most health care providers) and business associates, for a potential violation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an investigation concerning a ransomware attack on VPN Solutions’s information system.
In December of 2021, OCR received a breach report concerning a ransomware incident that impacted portions of the VPN Solutions server infrastructure. VPN Solutions filed the breach report on behalf of twelve covered entities, which had delegated their responsibility to report the breach to VPN Solutions. VPN Solutions reported that it became aware of the attack on October 31, 2021. The initial report indicated that the data encrypted included names, addresses, dates of birth, driver’s license information, social security numbers, other identifiers, claim information, bank account numbers, other financial information, diagnoses/conditions, lab results, medications, and other treatment information. OCR’s investigation determined that VPN Solutions had failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in their system. The settlement resolves OCR’s investigation concerning VPN Solutions and this ransomware attack.
