arthead - stock.adobe.com
HIPAA risk analysis gaps lead to 2 HHS enforcement actions
HHS settled two ransomware investigations concerning HIPAA risk analysis deficiencies, marking OCR's second and third enforcement actions under its risk analysis initiative.
The HHS Office for Civil Rights settled two ransomware investigations, both of which involved HIPAA risk analysis gaps. The settlements, one involving Elgon Information Systems and the other involving Virtual Private Network Solutions, mark OCR's eighth and ninth ransomware investigations and its second and third enforcement actions under its risk analysis initiative.
OCR created the risk analysis initiative to highlight the importance of complying with the HIPAA Security Rule's risk analysis provisions and to increase the number of completed investigations.
"A HIPAA compliant risk analysis is not only required under the law, but is also an essential step in effective cybersecurity," said OCR Director Melanie Fontes Rainer. "The best defense to cyberattacks, such as hacking and ransomware, is ensuring that potential risks and vulnerabilities to electronic protected health information have been assessed."
HHS reaches $80,000 settlement with Elgon Information Systems
HHS reached a $80,000 settlement with Elgon Information Systems, a Massachusetts-based electronic medical record and billing support vendor, following a March 2023 ransomware attack and data breach that affected more than 31,000 individuals.
Elgon suffered a ransomware attack on March 25, 2023, when an unknown party accessed a server on its information system via open ports on Elgon's firewall. Elgon discovered the ransomware attack on March 31, 2023, when it discovered a ransom note. The data breach involved clinical and demographic data.
OCR launched an investigation and determined that Elgon failed to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities to electronic protected health information (ePHI).
Elgon agreed to the settlement and a corrective action plan to address these deficiencies. Under the corrective action plan, Elgon will review its risk analysis processes to protect ePHI, update its enterprise-wide risk management plan, review written policies and procedures to comply with the HIPAA Privacy Rule and the HIPAA Security Rule and provide workforce training.
HHS reaches $90,000 settlement with Virtual Private Network Solutions
OCR's third-ever enforcement action under the risk analysis initiative involved Virtual Private Network Solutions, or VPN Solutions, a Virginia-based company that provides data hosting and cloud services to HIPAA-covered entities.
VPN Solutions agreed to a $90,000 settlement and corrective action plan following an October 2021 ransomware attack and subsequent investigation by OCR.
VPN Solutions said it first became aware of the ransomware attack on Oct. 31, 2021. The ransomware attack resulted in the encryption of data pertaining to HIPAA-covered entities. The information involved in the incident included names, dates of birth, driver's license information, Social Security numbers, claim information, bank account numbers and medical information.
In December 2021, VPN Solutions filed a breach report on behalf of the 12 HIPAA-covered entities that were affected by the breach.
OCR launched an investigation and found that VPN Solutions had not adequately conducted an accurate and thorough risk assessment, putting ePHI at risk.
Under the terms of the corrective action plan, VPN Solutions will conduct a thorough risk analysis, implement a risk management plan to address the security risks identified in the risk analysis and revise its policies to comply with HIPAA as necessary.
VPN Solutions also must conduct a breach risk assessment of the October 2021 breach and certify to HHS that all covered entities affected by the breach have been notified.
"An accurate and thorough risk analysis is foundational to both HIPAA Security Rule compliance and protecting health information from cyberattacks," Fontes Rainer said in an accompanying press release.
"Failure to conduct a risk analysis leaves health care entities exposed to future hacking and ransomware attacks. OCR urges health care entities to take the necessary steps to reduce risks and vulnerabilities and safeguard protected health information."
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
