The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced an $80,000 settlement with Elgon Information Systems (Elgon), a Massachusetts company that provides electronic medical record and billing support services to covered entities, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. On March 25, 2023, an unknown actor gained access to a server on Elgon’s information system through open ports on Elgon’s firewall. Elgon did not detect the intrusion until March 31, 2023, when a ransom note was found. In June 2023, Elgon filed a breach report with HHS stating that approximately 31,248 individuals were affected when Elgon’s computer system was infected with ransomware. The protected health information (PHI) disclosed included demographic information (name, social security number, address, driver’s license, and date of birth) and clinical information (medication, diagnosis, and condition). OCR’s investigation determined that Elgon failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its system.
