Guam Memorial Hospital Authority (GMHA) has agreed to pay $25,000 and operate under a three-year corrective action plan (CAP) to resolve potential HIPAA violations identified by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The investigation stemmed from two security incidents and revealed a failure to conduct required risk analyses.
What happened
OCR's investigation began following a complaint received in January 2019, alleging that GMHA experienced a ransomware attack in December 2018 affecting the electronic protected health information (ePHI) of approximately 5,000 individuals. While this investigation was underway, OCR received a second complaint in March 2023, alleging that unauthorized "hacker(s) had accessed patient records."
What's new
The HHS OCR investigation determined that GMHA potentially violated the HIPAA Security Rule by failing to conduct an accurate and thorough risk analysis to assess potential risks and vulnerabilities to the ePHI it maintained. To resolve these potential violations, GMHA entered into a resolution agreement with OCR, signed February 6, 2025, which includes a $25,000 payment and adherence to a comprehensive three-year CAP. This settlement is OCR's 11th enforcement action related to ransomware and the 7th action under its Risk Analysis Initiative, launched in 2024, which focuses on compliance with this foundational HIPAA requirement.
Why it matters
The settlement shows the importance the HHS OCR places on the HIPAA Security Rule's risk analysis requirement. Failing to perform a thorough risk analysis can leave patient data vulnerable to various threats, including ransomware and unauthorized access, potentially leading to breaches and regulatory penalties. The GMHA case serves as a reminder that comprehensive risk assessment is fundamental to protecting ePHI.
What they're saying
"Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry," said OCR Acting Director Anthony Archeval in the HHS statement. "Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats."
The big picture
This enforcement action is part of OCR's broader Risk Analysis Initiative, signaling a heightened focus on ensuring healthcare organizations conduct thorough, ongoing assessments of risks to ePHI. OCR stresses that risk analysis should not be a one-time checklist but an annual, evolving process foundational to an effective cybersecurity posture. The settlement, despite its relatively small monetary amount, reinforces OCR's commitment to enforcing this fundamental Security Rule requirement across entities of all sizes.
Read more: What to know about the changes to the HIPAA Security Rule
FAQs
What is the HIPAA Security Rule?
The HIPAA Security Rule establishes national standards to protect individuals’ ePHI that is created, received, used, or maintained by covered entities (like hospitals, clinics, health plans) and their business associates. It requires implementing specific administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
What is ransomware?
Ransomware is a malicious software (malware) designed to block access to a computer system or data, typically by encrypting files, until money (a ransom) is paid. Many ransomware attacks also involve stealing sensitive data and threatening to publish it if the ransom is not paid (double extortion).
What did the corrective action plan require?
The three-year plan mandates GMHA conduct a thorough risk analysis, implement a risk management plan, improve reviews of system activity logs, update policies and training, and strengthen workforce access controls.
