OCR recently concluded three investigations, which resulted in settlement payments relating to ransomware incidents. The agency noted that there has been a 264% uptick in large ransomware breaches since 2018.
The first settlement was reached with Cascade Skin and Eye Centers in Washington state, which experienced a ransomware attack that affected nearly 300,000 files containing ePHI. The terms of the settlement were reached after Cascade agreed to pay $250,000 and entered into a corrective action plan with the agency.
The second settlement was for $500,000 with Plastic Surgery Associates of South Dakota. Multiple workstations and servers were infected with ransomware, affecting the records of over 10,000 patients. The company was ultimately not able to restore the data on the affected servers.
The third settlement was reached with the Bryan County Ambulance Authority in Oklahoma. The Authority’s network was attacked by ransomware, which exposed data from over 14,000 individuals.
In all three instances, OCR found that the entities that encountered the cybersecurity incidents had not conducted a compliant risk analysis and did not sufficiently monitor their health information systems’ activity. The corrective action plans for all three companies include conducting a thorough risk analysis and implementing a risk management plan to address the risks and vulnerabilities identified.
As cybersecurity threats, including ransomware, become increasingly common, OCR encourages all health care providers and other entities who are subject to HIPAA to proactively evaluate and mitigate potential risks and vulnerabilities through an accurate and thorough risk analysis.
Sources:
- HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $90,000 – October 31, 2024
- HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000– October 31, 2024
- HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation under HIPAA Security Rule for $250,000– September 26, 2024
