HHS OCR Settles Ransomware Cybersecurity Investigation for $500,000

On October 31, 2024, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with a South Dakota medical practice concerning several potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This follows an investigation into a ransomware attack that breached the practice’s systems.

OCR initiated the investigation after the practice reported a breach in July 2017, revealing that nine workstations and two servers had been infected with ransomware, compromising the electronic protected health information (ePHI) of 10,229 individuals. The hacker(s) gained access through a brute force attack on the remote desktop protocol. After discovering the breach, the practice was unable to restore the affected servers from backup.

OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including:

    • Failing to conduct a compliant risk analysis to identify potential risks and vulnerabilities to ePHI.
    • Not implementing adequate security measures to mitigate these risks.
    • Lacking procedures for regularly reviewing records of information system activity.
    • Failing to establish policies and procedures for addressing security incidents.

Under the terms of the settlement, the practice paid $500,000 to OCR and agreed to implement a corrective action plan with the following requirements:

    • Conducting an accurate and thorough risk analysis to identify vulnerabilities related to the confidentiality, integrity, and availability of ePHI.
    • Implementing a written risk management plan to address and mitigate identified security risks.
    • Implementing policies and procedures to address and respond to known security incidents, including mitigation and documentation of outcomes.
    • Implementing policies and procedures to create and maintain retrievable backups of ePHI, regularly testing their recoverability and ensuring multiple encrypted copies are stored securely.
    • Implementing verification processes to confirm the identity of individuals or entities seeking access to ePHI.
    • Limiting access to ePHI in electronic information systems to authorized personnel only.
    • Revising its policies and procedures to ensure staff understanding of permissible uses and disclosures of PHI, and how to report potential violations.
    • Revising its breach notification policies and procedures to ensure timely notification to affected individuals, the HHS Secretary, and, if necessary, the media, within 60 calendar days of a breach.
    • Providing training for staff on HIPAA policies and procedures.

OCR will monitor the practice for two years to ensure compliance with the law.

Compliance Perspective

Issue

Ransomware and hacking are the primary cyber threats in healthcare. Since 2018, there has been a 264 percent increase in large breaches reported to OCR involving ransomware attacks. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that health plans, healthcare clearinghouses, and most healthcare providers, and their business associates must follow to protect the privacy and security of PHI. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. It also requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

Discussion Points

    • Review policies and procedures related to HIPAA, PHI, the Privacy and Security rules, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
    • Train staff involved with the use and maintenance of the organization’s computer information systems regarding the HIPAA Security Rule, including the requirements for conducting risk assessments. Train appropriate staff on HIPAA, PHI, and the Privacy and Security rules, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
    • Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and the Privacy and Security rules are being followed. Also periodically audit to ensure ongoing risk analysis is being conducted.

*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*

You May Also Like