The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Plastic Surgery Associates of South Dakota, resulting in a $500,000 payment due to violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows an investigation into a ransomware attack that compromised the protected health information of over 10,000 patients.
Key Takeaways
HHS OCR settled with Plastic Surgery Associates for $500,000.
The settlement addresses multiple HIPAA Security Rule violations.
The ransomware attack affected the data of 10,229 individuals.
OCR will monitor compliance for two years.
Background of the Incident
In July 2017, Plastic Surgery Associates reported a ransomware incident that led to the infection of nine workstations and two servers. The breach affected the protected health information (PHI) of 10,229 patients. The attackers gained access through a brute force attack on the organization’s remote desktop protocol, which allowed them to encrypt sensitive data and demand a ransom for its release.
Investigation Findings
The OCR's investigation uncovered several potential violations of the HIPAA Security Rule, including:
Failure to conduct a compliant risk analysis to identify vulnerabilities to electronic protected health information (ePHI).
Inadequate security measures to mitigate identified risks.
Lack of procedures for regularly reviewing information system activity.
Insufficient policies to address security incidents.
Settlement Terms
As part of the settlement, Plastic Surgery Associates has agreed to:
Pay $500,000 to the OCR.
Implement a corrective action plan that includes: Conducting a thorough risk analysis to identify vulnerabilities to ePHI. Developing a written risk management plan to address identified risks. Establishing policies for responding to security incidents, including documentation and mitigation strategies. Creating and maintaining secure backups of ePHI, with regular testing for recoverability. Ensuring that access to ePHI is restricted to authorized personnel only. Revising policies related to the use and disclosure of PHI to ensure compliance. Providing training to staff on HIPAA policies and procedures.
Importance of Cybersecurity in Healthcare
The settlement highlights the growing threat of ransomware attacks in the healthcare sector, which has seen a 264% increase in reported breaches since 2018. OCR Director Melanie Fontes Rainer emphasized that such attacks often expose underlying compliance failures with HIPAA requirements, making healthcare providers attractive targets for cybercriminals.
Future Monitoring
The OCR will monitor Plastic Surgery Associates for two years to ensure compliance with the corrective action plan and adherence to HIPAA regulations. This ongoing oversight aims to enhance the security of electronic protected health information and prevent future breaches in the healthcare industry.
With cyber threats becoming more complex, safeguarding your business is more critical than ever. At BetterWorld Technology, we're constantly evolving to stay ahead of these risks, providing the expertise your company needs. Don’t wait until it's too late—book a consultation with BetterWorld Technology today, and let us help you fortify your cybersecurity defenses.
Sources
HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000 – DataBreaches.Net, DataBreaches.Net.
HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000 – DataBreaches.Net, DataBreaches.Net.