HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation under HIPAA Security Rule for $250,000

ABSTRACT

Back in March 2017, Cascade Eye and Skin Centers in Washington state suffered a ransomware attack that resulted in nearly 300,000 patient records being breached. OCR — as a routine step — investigated the organization to assess its HIPAA-compliance security measures. The Office found multiple potential violations like Cascade Eye and Skin Centers’ failure to conduct risk analyses to determine the vulnerabilities to ePHI in its systems. It went on to conclude that it did not have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack.

The results of the investigation left Cascade with no better choice than to cooperate with a “plea-deal-like” settlement offered by OCR. The practice agreed to pay $250,000 and implement a Corrective Action Plan (CAP) that requires many steps, including:

• Conduct thorough risk analysis of systems to identify vulnerabilities to the confidentiality, integrity, and availability of its ePHI;

• Implement a compliant risk-management plan;

• Overhaul processes and procedures and documentation supporting them; and

• Develop emergency response plans in case of breach.

If you want to see the full resolution agreement and study the details, it is posted on the HHS website: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cascade-eye-skin-centers-ra-cap/index.html .

EXPERT COMMENTARY

We have almost grown used to big health systems and hospitals getting slapped with huge fines and expensive mitigation and correction plans, not to mention costs for providing patients with free credit-monitoring services for a year or more after their PHI has been exposed. (Free credit monitoring has become the standard way of compensating patients, even though it is not specifically required by law.)

Other organizations — right down to small medical practices — are now seeing action by OCR that can leave them suffering a huge, unnecessary expense. “Unnecessary” because few small-to-mid-sized organizations have maintained a bullet-proof (or resistant) HIPAA security plan. And many smaller practices are woefully under-insured for the costs associated with a HIPAA disaster.

A properly designed plan is not hard to acquire, but diligently following the plan is difficult. It is like a clinic’s fire-escape plan. If you have one, you probably have not reviewed it or practiced any of it. Safety and security often take a back seat in our priorities. Start with this query: Who is your practice’s HIPAA Privacy Officer?

Source: Department of Health and Human Services, September 26, 2024; https://www.hhs.gov/about/news/2024/09/26/hhs-office-civil-rights-settles-ransomware-cybersecurity-investigation-under-hipaa-security-rule-250-000.html