Elgon Inc. and Virtual Private Network Solutions have agreed to pay $170,000 in fines and implement corrective action plans after investigations revealed their failures to comply with HIPAA security requirements, following ransomware breaches that compromised sensitive patient data.
A Massachusetts-based billing services provider and a Virginia-based data hosting company have agreed to settlements with federal regulators over ransomware breaches. The U.S. Department of Health and Human Services' Office for Civil Rights (HHS OCR) levied fines totaling $170,000 and mandated corrective actions after investigations revealed the firms failed to comply with the HIPAA Security Rule.
Elgon Inc., headquartered in Worcester, Massachusetts, agreed to pay $80,000 for a 2023 breach affecting over 31,000 patients. Richmond, Virginia-based Virtual Private Network Solutions (VPN Solutions) was fined $90,000 for a 2021 breach impacting 6,400 individuals.
Elgon’s system was compromised on March 25, 2023, when a threat actor exploited open firewall ports. The intrusion, undetected for nearly a week, culminated in a ransom note discovered on March 31. Sensitive data, including names, Social Security numbers, and clinical information, belonging to a single client—Century Homecare—was compromised.
HHS OCR’s investigation found that Elgon failed to conduct an enterprise-wide HIPAA security risk analysis. This settlement is the agency's eighth HIPAA enforcement action tied to ransomware and its second under the 2024 HIPAA Security Risk Analysis initiative.
VPN Solutions experienced a ransomware attack on October 31, 2021, leading to the encryption of sensitive patient data. The breach affected 12 of its covered-entity clients, exposing data such as Social Security numbers, diagnoses, and financial information.
HHS OCR determined that VPN Solutions also failed to perform a thorough HIPAA security risk analysis. Their settlement marks the ninth HIPAA enforcement action linked to ransomware and the third under the agency’s security risk analysis initiative.
“A HIPAA-compliant risk analysis is not only required under the law but is also an essential step in effective cybersecurity,” said HHS OCR Director Melanie Fontes Rainer. “The best defense to cyberattacks, such as hacking and ransomware, is ensuring that potential risks and vulnerabilities to electronically protected health information have been assessed.”
Regulatory attorney Rachel Rose emphasized the importance of proactive measures: “If there is not a current risk analysis, get one done by a qualified professional immediately… The second step is to address the gaps that were identified concerning technical, administrative, and physical safeguards.”
Rose also recommended implementing multifactor authentication and reading key federal documents, such as the White House Blueprint for an AI Bill of Rights and FDA guidance on AI-enabled medical devices.
The settlements with Elgon and VPN Solutions are examples for healthcare organizations and their business associates to prioritize cybersecurity. Comprehensive risk analyses, updated policies, and robust safeguards are essential to protect sensitive patient data.
See also: HIPAA Compliant Email: The Definitive Guide
Healthcare organizations can prepare by regularly conducting security risk assessments, updating their software and systems, training staff on cybersecurity best practices, and implementing robust security controls such as firewalls, encryption, and multifactor authentication (MFA).
Consequences can include fines from regulatory agencies such as HHS OCR, reputational damage, legal costs, and the loss of patient trust. Organizations may also be required to invest in corrective actions, such as risk assessments and updated cybersecurity policies.
After a ransomware attack, organizations should isolate affected systems, notify relevant authorities (such as HHS OCR), investigate the breach, and restore data from backups if available. It is also important to communicate with affected individuals and provide guidance on protecting their data.