Thursday, November 14, 2024

HomeCyberSecurityFeds Hit Health Entity With $950K Fine in Ransomware Attack

Feds Hit Health Entity With $950K Fine in Ransomware Attack

Application Security
,
Fraud Management & Cybercrime
,
Healthcare

Settlement Is Another Signal of HHS OCR’s Latest Enforcement Priority

Feds Hit Health Entity With $950K Fine in Ransomware Attack
Heritage Valley Health Systems is paying $950,000 to settle potential HIPAA violations related to a ransomware attack investigation by HHS OCR. (Image: HVHS)

Federal regulators have hit a Pennsylvania-based healthcare system with a $950,000 financial fine and a corrective action plan to settle potential HIPAA violations found during an investigation into a 2017 ransomware attack against the group.

See Also: Cyber Insurance Assessment Readiness Checklist

The settlement with Heritage Valley Health System is the third HIPAA enforcement action by the U.S. Department of Health and Human Services in a case involving ransomware. The number of ransomware-linked breaches reported to HHS OCR has nearly tripled since 2018, the agency said.

“Hacking and ransomware are the most common type of cyberattacks within the healthcare sector. Failure to implement the HIPAA Security Rule requirements leaves healthcare entities vulnerable and makes them attractive targets to cybercriminals,” said Melanie Fontes Rainer, director of HHS OCR, in a statement.

“Safeguarding patient-protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge healthcare entities to protect their records systems and patients from cyberattacks.”

HHS OCR said its investigation into Heritage Valley’s incident discovered multiple potential violations of the HIPAA Security Rule. They include failures by Heritage Valley to: conduct a HIPAA security risk analysis, implement a contingency plan to respond to emergencies such as ransomware attacks, and implement policies and procedures to allow only authorized users access to electronic protected health information.

The resolution agreement in the case against Heritage Valley says HHS OCR initiated a compliance review of the entity after media reports said that the organization had experienced a data security incident.

The resolution agreement does not indicate whether Heritage Valley ever reported a HIPAA breach to HHS OCR involving the incident. No such report from Heritage Valley appears posted on HHS OCR’s HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.

Neither Valley Heritage nor HHS OCR immediately responded to Information Security Media Group’s request for comment and additional details about the entity’s ransomware incident.

Besides the financial fine, HHS OCR’s resolution agreement requires Valley Heritage to undertake a corrective action plan which includes: conducting an accurate and thorough HIPAA security risk analysis; implementing a risk management plan; reviewing, developing, maintaining and revising its written policies and procedures to comply with the HIPAA Rules; and training its workforce on HIPAA policies and procedures.

Enforcement Trends

HHS OCR last October struck its first-ever HIPAA enforcement action involving a ransomware attack against Massachusetts-based medical management firm Doctor Management Group. The entity agreed to pay a $100,000 financial penalty and undergo three years of HIPAA compliance monitoring following an investigation into a ransomware breach reported in 2019 as affecting nearly 206,700 individuals (see: Feds Levy First-Ever HIPAA Fine for Ransomware Data Breach).

In its second ransomware-related enforcement action, HHS OCR in February hit Green Ridge Behavioral Health with a $40,000 financial settlement and a corrective action plan. The settlement resolved potential HIPAA violations that HHS OCR had found during its investigation into a 2019 ransomware and data exfiltration attack on the Gaithersburg, Maryland-based mental health provider. The incident compromised the protected health information of about 14,000 individuals (see: HHS OCR Tells Congress It Needs More Funding for HIPAA Work).

“Ransomware breaches have become an enforcement priority for OCR,” said privacy attorney Adam Greene of the law firm Davis Wright Tremaine. “I expect that we will continue to see financial enforcement actions in instances where OCR viewed that the regulated entity was not sufficiently prepared to defend against and respond to a ransomware attack.

“Covered entities and business associates should confirm that their HIPAA Security Rule risk analyses clearly capture risks related to ransomware attacks, that they maintain data backups that are safeguarded against potential ransomware infections, and that they have tested their disaster recovery efforts in response to a potential ransomware attack,” Greene said.

Fontes Rainer in a recent video interview with Information Security Media Group signaled that the agency’s scrutiny of ransomware attacks and other hacking breaches as a top HIPAA enforcement priority is intensifying (see: How HHS OCR Is Boosting HIPAA Enforcement; Here Come Audits).

“The number of breaches is going up. They’re getting bigger, infecting more people. And we know things like phishing, ransomware hacking are really substantive ways in which people’s systems are being infiltrated,” she said. “So, we’re really focused on this.”

As of Tuesday, of the 369 major health data breaches affecting 44.6 million individuals posted on the HHS OCR HIPAA breach website so far in 2024, 288 – or nearly 80% – are reported as hacking incidents. Those hacks affected 29.6 million individuals.

But the majority of HHS OCR’s HIPAA enforcement actions over the last several years have centered on patient “right of access” disputes.

HHS OCR so far has 48 enforcement actions in such cases since the agency launched a patient “right of access” compliance initiative in April 2019 (see: Feds Hit 2 Nursing Home Firms With ‘Right of Access’ Fines).




Source link

Bookmark (0)
Please login to bookmarkClose
RELATED ARTICLES
- Advertisment -spot_img

Most Popular

Sponsored Business

- Advertisment -spot_img