WANAN YOSSINGKUM/istock via Gett
HHS settles 2 investigations under HIPAA Security Rule
HHS imposed civil monetary penalties against two healthcare organizations following ransomware investigations and potential HIPAA Security Rule violations.
The HHS Office for Civil Rights settled two ransomware investigations involving potential HIPAA Security Rule violations and issued civil monetary penalties totaling $490,000. The cases marked OCR's fourth and fifth ransomware enforcement actions, respectively.
The separate settlements involved Cascade Eye and Skin Centers, a practice in Washington State, and California-based Providence Medical Institute. In both settlement announcements, OCR noted that it has seen a 264% increase in large data breaches involving ransomware since 2018.
"Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients' health information," said Melanie Fontes Rainer, OCR director, in a press release accompanying the Providence Medical Institute settlement.
"The health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks."
Cascade Eye and Skin Centers faces $250K penalty
In September 2024, following an investigation, OCR imposed a $250,000 civil monetary penalty on Cascade Eye and Skin Centers, a privately owned healthcare provider in Washington state. Cascade suffered a ransomware attack on May 26, 2017.
During the ransomware attack, cyberthreat actors held protected health information (PHI) for ransom. The cyberattack affected approximately 291,000 files. OCR launched an investigation after receiving a complaint alleging that Cascade had experienced a ransomware attack.
OCR's investigation revealed alleged failures by Cascade to conduct a risk analysis to determine vulnerabilities to PHI in its systems, as well as failure to monitor its health information systems to protect against a cyberattack.
In addition to the civil monetary penalty, Cascade agreed to implement a corrective action plan that will be monitored by OCR. Cascade did not admit any wrongdoing but agreed to the terms of the settlement.
The corrective action plan requires Cascade to conduct an accurate and thorough risk analysis, implement a risk management plan, establish written policies and procedures for incident response and assign a unique name to identify user identities in systems that contain PHI.
Following the settlement, OCR urged all HIPAA-covered entities to safeguard their systems and take precautions to guard against cyberattacks.
Providence Medical Institute
In October 2024, OCR issued its fifth-ever ransomware enforcement action against Providence Medical Institute (PMI), a California-based healthcare organization consisting of 275 primary and specialty care providers. OCR levied a $240,000 civil monetary penalty against PMI.
The focus of OCR's investigation stemmed from the Center for Orthopaedic Specialists (COS), an organization that PMI acquired in July 2016. Amid the multiyear process of transitioning COS to PMI's network, COS was struck by ransomware on three separate occasions in 2018.
First, on Feb. 18, 2018, cyberthreat actors encrypted PHI during a ransomware attack after an employee clicked on a phishing email. COS restored its patient data using backups in the days following the attack.
However, on Feb. 25, 2018, cyberthreat actors targeted COS systems again. COS once again restored patient data using backups. On March 4, 2018, a third round of ransomware, perpetrated by the same cyberthreat actors, hit COS systems thanks to compromised administrator credentials that they had obtained during the first two attacks.
After PMI filed a report with OCR, OCR launched an investigation. PMI performed its own post-incident assessment as well, determining that COS had been using unsupported and obsolete operating systems to host PHI. COS also had an improperly configured firewall, and workforce members were sharing generic credentials with administrator access.
OCR's investigation revealed that PMI did not have a business associate agreement with COS' data management vendor until two years after its acquisition of COS, and that it failed to implement policies to allow only authorized individuals or programs to access PHI.
Based on these factors, OCR imposed a civil monetary penalty. As ransomware attacks continue to cause disruptions in the healthcare sector, OCR is taking action to enforce HIPAA and prevent future cyberattacks.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.