The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $240,000 civil monetary penalty against Providence Medical Institute after a ransomware attack in 2018 exposed the protected health information (PHI) of 85,000 individuals.
What happened
The California-based healthcare organization, Providence Medical Institute, suffered several ransomware attacks from February to March 2018 jeopardizing the PHI of 85,000 individuals. The breaches were reported to the OCR in April 2018.
Investigations showed that Providence failed to comply with HIPAA Security Rule requirements, specifically their lack of having business associate agreements (BAA) and controls that limit PHI access.
In March 2024, OCR issued a Notice of Proposed Determination seeking a civil monetary penalty. Providence Medical Institute waived its right to a hearing, leading OCR to impose a $240,000 fine.
Going deeper
In the 2018 attacks, Providence Medical Institute had three successive ransomware encryptions of its servers. According to the OCR’s investigation, the two HIPAA Security Rule violations were failure to establish a BAA and failure to implement adequate access controls to safeguard ePHI.
Moreover, this penalty is part of a larger trend with ransomware breaches increasing by 264% since 2018.
What was said
“Failures to fully implement all of the HIPAA Security Rule requirements leave HIPAA-covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information,” said OCR Director Melanie Fontes Rainer. She added that the healthcare sector "needs to get serious about cybersecurity and complying with HIPAA."
Why it matters
The case shows that healthcare organizations are increasingly vulnerable to security incidents due to the destructive nature of ransomware incidents. Without BAA protections, healthcare organizations risk patients’ privacy and security and their organization’s stability.
The bottom line
Healthcare providers must use advanced cybersecurity features, including risk analysis, access controls, and breach responses. Otherwise, these organizations will suffer data breaches that expose patient privacy, and result in severe fines.
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Are there any costs associated with placing a fraud alert or credit freeze?
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.
