Today, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Cascade Eye and Skin Centers, PC, a privately-owned healthcare provider in the state of Washington, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following a ransomware attack investigation by OCR. Ransomware and hacking are the primary cyber-threats in healthcare. Since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks.
OCR initiated an investigation following the receipt of a complaint alleging that Cascade Eye and Skin Centers experienced a ransomware attack. OCR’s investigation determined that approximately 291,000 files that contained electronic PHI (ePHI) were affected. OCR found multiple potential violations of the HIPAA Security Rule, including failures by Cascade Eye and Skin Centers to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems, and to have sufficient monitoring of its health information systems’ activity to protect against a cyberattack. Under the terms of the settlement, Cascade Eye and Skin Centers has paid $250,000 to OCR and will implement a corrective action plan that requires Cascade Eye and Skin Centers to take steps toward protecting and securing the security of protected health information. OCR will monitor the corrective action plan for two years.