top of page
Writer's pictureJohn Jordan

HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Plastic Surgery Associates of South Dakota, resulting in a $500,000 payment due to violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows an investigation into a ransomware attack that compromised the protected health information of over 10,000 patients.

U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) | BetterWorld Technology

Key Takeaways

  • HHS OCR settled with Plastic Surgery Associates for $500,000.

  • The settlement addresses multiple HIPAA Security Rule violations.

  • The ransomware attack affected the data of 10,229 individuals.

  • OCR will monitor compliance for two years.

Background of the Incident

In July 2017, Plastic Surgery Associates reported a ransomware incident that led to the infection of nine workstations and two servers. The breach affected the protected health information (PHI) of 10,229 patients. The attackers gained access through a brute force attack on the organization’s remote desktop protocol, which allowed them to encrypt sensitive data and demand a ransom for its release.

Investigation Findings

The OCR's investigation uncovered several potential violations of the HIPAA Security Rule, including:

  1. Failure to conduct a compliant risk analysis to identify vulnerabilities to electronic protected health information (ePHI).

  2. Inadequate security measures to mitigate identified risks.

  3. Lack of procedures for regularly reviewing information system activity.

  4. Insufficient policies to address security incidents.

Settlement Terms

As part of the settlement, Plastic Surgery Associates has agreed to:

  • Pay $500,000 to the OCR.

  • Implement a corrective action plan that includes: Conducting a thorough risk analysis to identify vulnerabilities to ePHI. Developing a written risk management plan to address identified risks. Establishing policies for responding to security incidents, including documentation and mitigation strategies. Creating and maintaining secure backups of ePHI, with regular testing for recoverability. Ensuring that access to ePHI is restricted to authorized personnel only. Revising policies related to the use and disclosure of PHI to ensure compliance. Providing training to staff on HIPAA policies and procedures.

Importance of Cybersecurity in Healthcare

The settlement highlights the growing threat of ransomware attacks in the healthcare sector, which has seen a 264% increase in reported breaches since 2018. OCR Director Melanie Fontes Rainer emphasized that such attacks often expose underlying compliance failures with HIPAA requirements, making healthcare providers attractive targets for cybercriminals.

Future Monitoring

The OCR will monitor Plastic Surgery Associates for two years to ensure compliance with the corrective action plan and adherence to HIPAA regulations. This ongoing oversight aims to enhance the security of electronic protected health information and prevent future breaches in the healthcare industry.

With cyber threats becoming more complex, safeguarding your business is more critical than ever. At BetterWorld Technology, we're constantly evolving to stay ahead of these risks, providing the expertise your company needs. Don’t wait until it's too late—book a consultation with BetterWorld Technology today, and let us help you fortify your cybersecurity defenses.

Sources

  • HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000 – DataBreaches.Net, DataBreaches.Net.

  • HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000 – DataBreaches.Net, DataBreaches.Net.

26 views
bottom of page