The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $240,000 civil monetary penalty against Providence Medical Institute in Southern California, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following a ransomware attack breach report investigation by OCR. Ransomware and hacking are the primary cyber-threats in healthcare. There has been a 264% increase in large breaches reported to OCR involving ransomware attacks since 2018. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that covered entities (health plans, healthcare clearinghouses, and most healthcare providers), and business associates must follow to protect the privacy and security of protected health information.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. It also requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Civil Money Penalty resolves OCR’s investigation concerning Providence Medical Institute’s compliance with the HIPAA Security Rule.