Northeast Surgical Group Pays $10,000 to Resolve Ransomware Investigation

The HHS’ Office for Civil Rights (OCR) resolved a ransomware investigation with the issuance of a financial penalty. Surgical services provider Northeast Surgical Group, P.C based in Michigan agreed to pay $10,000 to settle a potential HIPAA Security Rule violation. The provider failed to perform a comprehensive and appropriate risk analysis to determine risks and vulnerabilities to the integrity, confidentiality, and availability of ePHI or electronic protected health information.

Northeast Surgical Group sent a breach notification to OCR on March 6, 2023 about a ransomware attack on its network that resulted in the encryption of the ePHI of 15,298 patients. As confirmed by the forensic investigation, the ransomware group extracted files that contained patient data before using ransomware for file encryption. The whole patient population of the healthcare provider was potentially impacted. OCR looked into the data breach to find out whether Northeast Surgical Group was HIPAA Rules compliant. Based on the investigation, Northeast Surgical Group was unable to perform a HIPAA-compliant risk analysis. Because of this failure, OCR issued its 4th financial penalty under the risk analysis enforcement initiative and the 10th enforcement action associated with a ransomware attack.

OCR decided to resolve the alleged HIPAA violation in private with Northeast Surgical Group consenting to pay $10,000 as a financial penalty. The healthcare provider also needs to undertake a corrective action plan that requires conducting a HIPAA-compliant risk analysis, developing a plan to minimize the determined risks to a minimal and acceptable level, changing its present guidelines and procedures associated with risk analysis, and enforcing the risk management plan, and providing HIPAA training for employees regarding the changed guidelines and procedures. For two years, OCR will keep tabs on Northeast Surgical Group’s work to follow the corrective action plan.

From 2018 to date, big data breaches linked to ransomware attacks have increased by 264%. In most instances, hackers took advantage of vulnerabilities that should have been discovered by a risk analysis and resolved prior to exploitation. OCR Director Melanie Fontes Rainer states that an important step in having efficient cybersecurity in medical care is evaluating the possible risks and vulnerabilities to ePHI. Not conducting a HIPAA risk analysis will make a healthcare entity susceptible to cyberattacks like hacking and ransomware attacks, which hampers the healthcare system and patient treatment services.

Tags

Daniel Lopez

Daniel Lopez

Daniel Lopez stands out as an exceptional HIPAA trainer, dedicated to elevating standards in healthcare data protection and privacy. Daniel, recognized as a leading authority on HIPAA compliance, serves as the HIPAA specialist for Healthcare IT Journal. He consistently offers insightful and in-depth perspectives on a wide range of HIPAA-related topics, addressing both typical and complex compliance issues. With his extensive experience, Daniel has made significant contributions to multiple publications such as hipaacoach.com, ComplianceJunction, and The HIPAA Guide, enriching the field with his deep knowledge and practical advice in HIPAA regulations. Daniel offers a comprehensive training program that covers all facets of HIPAA compliance, including privacy, security, and breach notification rules. Daniel's educational background includes a degree in Health Information Management and certifications in data privacy and security. You can contact Daniel via HIPAAcoach.com.

Get The FREE HIPAA Checklist

Discover everything you need to become HIPAA compliant
Scroll to Top

Get the free newsletter

Discover everything you need to become HIPAA compliant
Please enable JavaScript in your browser to complete this form.
Name

Get The FREE HIPAA Checklist

Discover everything you need to become HIPAA compliant
Please enable JavaScript in your browser to complete this form.
Name