HHS settles 2 investigations under HIPAA Security Rule

Cascade Eye and Skin Centers faces $250K penalty

In September 2024, following an investigation, OCR imposed a $250,000 civil monetary penalty on Cascade Eye and Skin Centers, a privately owned healthcare provider in Washington state. Cascade suffered a ransomware attack on May 26, 2017.

During the ransomware attack, cyberthreat actors held protected health information (PHI) for ransom. The cyberattack affected approximately 291,000 files. OCR launched an investigation after receiving a complaint alleging that Cascade had experienced a ransomware attack.

OCR's investigation revealed alleged failures by Cascade to conduct a risk analysis to determine vulnerabilities to PHI in its systems, as well as failure to monitor its health information systems to protect against a cyberattack.

In addition to the civil monetary penalty, Cascade agreed to implement a corrective action plan that will be monitored by OCR. Cascade did not admit any wrongdoing but agreed to the terms of the settlement.

The corrective action plan requires Cascade to conduct an accurate and thorough risk analysis, implement a risk management plan, establish written policies and procedures for incident response and assign a unique name to identify user identities in systems that contain PHI.

Following the settlement, OCR urged all HIPAA-covered entities to safeguard their systems and take precautions to guard against cyberattacks.

Providence Medical Institute

In October 2024, OCR issued its fifth-ever ransomware enforcement action against Providence Medical Institute (PMI), a California-based healthcare organization consisting of 275 primary and specialty care providers. OCR levied a $240,000 civil monetary penalty against PMI.

The focus of OCR's investigation stemmed from the Center for Orthopaedic Specialists (COS), an organization that PMI acquired in July 2016. Amid the multiyear process of transitioning COS to PMI's network, COS was struck by ransomware on three separate occasions in 2018.

First, on Feb. 18, 2018, cyberthreat actors encrypted PHI during a ransomware attack after an employee clicked on a phishing email. COS restored its patient data using backups in the days following the attack.

However, on Feb. 25, 2018, cyberthreat actors targeted COS systems again. COS once again restored patient data using backups. On March 4, 2018, a third round of ransomware, perpetrated by the same cyberthreat actors, hit COS systems thanks to compromised administrator credentials that they had obtained during the first two attacks.

After PMI filed a report with OCR, OCR launched an investigation. PMI performed its own post-incident assessment as well, determining that COS had been using unsupported and obsolete operating systems to host PHI. COS also had an improperly configured firewall, and workforce members were sharing generic credentials with administrator access.

OCR's investigation revealed that PMI did not have a business associate agreement with COS' data management vendor until two years after its acquisition of COS, and that it failed to implement policies to allow only authorized individuals or programs to access PHI.

Based on these factors, OCR imposed a civil monetary penalty. As ransomware attacks continue to cause disruptions in the healthcare sector, OCR is taking action to enforce HIPAA and prevent future cyberattacks.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.