The HHS Office for Civil Rights (OCR) issued its first HIPAA enforcement action of 2025, settling on a $80,000 penalty on Elgon Information Systems for violations tied to a ransomware attack.
Elgon Information Systems, a Massachusetts electronic medical records and billing support services provider, experienced a ransomware attack in March 2023. The breach occurred when hackers exploited open firewall ports to gain unauthorized access to Elgon’s network. The attackers infiltrated the network on March 25, 2023, and a ransom note demanding payment was discovered on March 31, 2023.
An internal investigation confirmed that 31,248 individuals had their electronic protected health information (PHI) exposed. Compromised data included names, addresses, Social Security numbers, driver’s license numbers, and sensitive clinical information like diagnoses, health conditions, and prescribed medications.
OCR investigated the breach and determined that Elgon Information Systems failed to conduct a comprehensive risk analysis. More specifically, they determined that the open firewall ports were a vulnerability that could have been identified and mitigated through appropriate risk management practices.
As part of the settlement, Elgon paid an $80,000 penalty and agreed to a corrective action plan, reviewing and updating its risk analysis, risk management processes, and HIPAA-related policies. The company must also train its workforce on HIPAA compliance and undergo three years of compliance monitoring by OCR.
Since 2022, OCR has launched multiple initiatives to hold organizations accountable for risk analysis failures. This enforcement action is part of OCR’s broader effort to address deficiencies in risk analysis under HIPAA’s Security Rule.
The last round of OCR compliance audits (2016–2017) revealed that many HIPAA-regulated entities were not compliant with the risk analysis and risk management requirements. These shortcomings have been repeatedly identified during OCR investigations of data breaches.
OCR Director Melanie Fontes Rainer states, “A HIPAA-compliant risk analysis is not only required under the law but is also an essential step in effective cybersecurity.”
Rainer added, “The best defense to cyberattacks, such as hacking and ransomware, is ensuring that potential risks and vulnerabilities to electronic protected health information have been assessed.”
Go deeper: HHS proposes updated HIPAA security rule
Ransomware attacks are a persistent threat to the healthcare industry, often resulting in data breaches compromising patients’ PHI. So, healthcare entities must create an accurate inventory of technology assets, tracking PHI movements within systems, and identify locations where PHI is created, maintained, or transmitted.
Proactively identifying and mitigating vulnerability risks can help these entities uphold HIPAA’s Security Rule and avoid non-compliance penalties.
Learn more: How to perform a risk assessment
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle protected health information (PHI).
Ransomware attacks are a type of cyberattack where hackers gain unauthorized access to a computer, encrypt its data, and demand the return of this data upon payment.
Hackers often target sensitive information like personal, financial, or healthcare data, crippling their operations until the ransom is paid or recovered by other means.
Ransomware spreads through phishing emails, malicious links, or software vulnerabilities, exploiting weak cybersecurity defenses. Even after paying the ransom, victims are not guaranteed data recovery.
Read also: Report: Ransomware attacks cause $1.9 million daily loss
Yes, HIPAA compliant email solutions, like Paubox, offer audit trails, access controls, and malware scanning to track PHI access and limit threat exposure against phishing and malware attacks.
Learn more: HIPAA Compliant Email: The Definitive Guide