The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) settled two ransomware investigations involving potential violations of the HIPAA Security Rule, which establishes national standards to protect individuals’ electronic personal health information (PHI).
In Sept. 2024, OCR imposed a $250,000 civil monetary penalty against Cascade Eye and Skin Centers, a privately-owned healthcare provider in Washington state, TechTarget reports. Cascade suffered a ransomware attack on May 26, 2017. PHI was held for ransom during the cyberattack, impacting approximately 291,000 files.
RELATED ARTICLE: Ransomware Attack Forces Texas Level 1 Trauma Center to Divert Patients
OCR’s investigation into the ransomware attack uncovered alleged failures by Cascade to conduct a risk analysis to determine vulnerabilities to PHI in its systems and failure to monitor its health information systems to protect against a cyberattack. Cascade did not admit any wrongdoing but agreed to implement a corrective action plan that will be monitored by OCR.
Providence Medical Institute Hit by Ransomware 3 Times
In October 2024, OCR issued a $240,000 civil monetary penalty against Providence Medical Institute (PMI), a California-based healthcare organization with 275 primary and specialty care providers. In July 2016, PMI acquired the Center for Orthopaedic Specialists (COS). During the multi-year process of transitioning COS to PMI’s network, COS was hit by ransomware on three separate occasions in 2018.
During the first attack, threat actors encrypted PHI after an employee clicked on a phishing email. COS was able to restore its patient data using backups but hackers targeted the systems again one week later. Eight days later, the same hackers accessed COS systems again using administrator credentials they had obtained during the first two attacks.
OCR’s investigation reveals that PMI did not have a business associate agreement with COS’ data management vendor until two years after its acquisition and that it failed to implement policies to allow only authorized individuals or programs to access PHI. PHI of around 85,000 individuals were exposed during the three attacks.
OCR first issued a Notice of Proposed Determination in March 2024. PMI waived its right to a hearing and did not contest OCR’s findings, according to a press release.
RELATED ARTICLE: Lehigh Valley Health Network to Pay $65 Million After Hackers Leaked Nude Photos of Cancer Patients
The cases marked OCR’s fourth and fifth ransomware enforcement actions to date as large healthcare data breaches involving ransomware have increased 264% since 2018.
“Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information,” OCR director Melanie Fontes Rainer wrote in a press release. “The health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.”