The HHS’ Office for Civil Rights (OCR) resolved a ransomware investigation with the issuance of a financial penalty. Surgical services provider Northeast Surgical Group, P.C based in Michigan agreed to pay $10,000 to settle a potential HIPAA Security Rule violation. The provider failed to perform a comprehensive and appropriate risk analysis to determine risks and vulnerabilities to the integrity, confidentiality, and availability of ePHI or electronic protected health information.
Northeast Surgical Group sent a breach notification to OCR on March 6, 2023 about a ransomware attack on its network that resulted in the encryption of the ePHI of 15,298 patients. As confirmed by the forensic investigation, the ransomware group extracted files that contained patient data before using ransomware for file encryption. The whole patient population of the healthcare provider was potentially impacted. OCR looked into the data breach to find out whether Northeast Surgical Group was HIPAA Rules compliant. Based on the investigation, Northeast Surgical Group was unable to perform a HIPAA-compliant risk analysis. Because of this failure, OCR issued its 4th financial penalty under the risk analysis enforcement initiative and the 10th enforcement action associated with a ransomware attack.
OCR decided to resolve the alleged HIPAA violation in private with Northeast Surgical Group consenting to pay $10,000 as a financial penalty. The healthcare provider also needs to undertake a corrective action plan that requires conducting a HIPAA-compliant risk analysis, developing a plan to minimize the determined risks to a minimal and acceptable level, changing its present guidelines and procedures associated with risk analysis, and enforcing the risk management plan, and providing HIPAA training for employees regarding the changed guidelines and procedures. For two years, OCR will keep tabs on Northeast Surgical Group’s work to follow the corrective action plan.
From 2018 to date, big data breaches linked to ransomware attacks have increased by 264%. In most instances, hackers took advantage of vulnerabilities that should have been discovered by a risk analysis and resolved prior to exploitation. OCR Director Melanie Fontes Rainer states that an important step in having efficient cybersecurity in medical care is evaluating the possible risks and vulnerabilities to ePHI. Not conducting a HIPAA risk analysis will make a healthcare entity susceptible to cyberattacks like hacking and ransomware attacks, which hampers the healthcare system and patient treatment services.