OCR reaches third-ever ransomware settlement

The HHS Office for Civil Rights (OCR) reached a settlement with Heritage Valley Health System, an organization that provides care to patients in Pennsylvania, Ohio and West Virginia.

This marks the third-ever ransomware settlement that OCR has reached. Since 2018, HHS has observed a 264% increase in large breaches involving ransomware reported to OCR.  

OCR’s investigation into Heritage Valley began in 2017 following a ransomware attack against the organization. The investigation revealed noncompliance with the HIPAA Security Rule.

Specifically, OCR found potential violations relating to HIPAA’s requirement to conduct a risk analysis, establish policies and procedures for responding to an event that damages systems containing ePHI and implement technical processes to maintain proper ePHI access.

In addition to paying $950,000, Heritage Valley agreed to implement a corrective action plan to address potential HIPAA Security Rule violations. The plan requires Heritage Valley to conduct an accurate and thorough risk analysis, implement a risk management plan, revise its policies to ensure HIPAA compliance and train its workforce on HIPAA procedures.

Generally, OCR recommended that all HIPAA-covered entities take these steps to ensure compliance and mitigate cyber threats.

“Hacking and ransomware are the most common type of cyberattacks within the health care sector. Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive targets to cyber criminals,” said OCR Director Melanie Fontes Rainer.

“Safeguarding patient protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge health care entities to protect their records systems and patients from cyberattacks.”