The U.S. Department of Health and Human Services (HHS) Office for Civil Rights has agreed to a $250,000 settlement with Cascade Eye and Skin Centers after investigating a ransomware attack that exposed electronic protected health information (PHI).
The ransomware settlement is the fourth the OCR has agreed to, after a reported 264% increase in ransomware breaches since 2018.
The OCR began its investigation after a ransomware attack left Cascade Eye and Skin Centers with about 291,000 files containing PHI exposed. The investigation revealed several HIPAA Security Rule violations, including the healthcare provider’s failure to conduct a comprehensive risk analysis and adequately monitor their electronic health record (EHR) system.
The case was eventually settled once Cascade agreed to pay a fee of $250,000 and implement improved risk management procedures and security protocols.
Over the next two years, the OCR will manage Cascade’s corrective plans including:
OCR Director Melanie Fontes Rainer stated, “Cybercriminals continue to target the healthcare sector with ransomware attacks. Health care entities that do not thoroughly assess the risks to electronic protected health information and regularly review the activity within their electronic health record system leave themselves vulnerable to attack, and expose their patients to unnecessary risks of harm."
The HIPAA Security Rule sets national standards for safeguarding PHI. It requires covered entities to implement administrative, physical, and technical safeguards. Administrative safeguards involve risk analysis and the development of security management policies; while physical safeguards require that access to facilities and equipment where ePHI is stored be protected.
Technical safeguards mandate that user authentication must be appropriately secure, and data must be encrypted, for example, using a HIPAA compliant solution, like Paubox, which automatically encrypts outgoing communications.
Read also:
Due to the increasing rate of cyber threats in healthcare, there is a greater need for adherence to these security safeguards. Ransomware, which is a kind of cyberattack that encrypts a victim's data and then requests money for a decryption key, has become one of the main risks to patient privacy today.
Apart from significant financial fines, entities found violating the HIPAA Security Rule also face reputational damage since breaches will undermine patient confidence in their ability to safeguard PHI.
Covered entities must regularly conduct risk assessments, monitor their systems, and implement access controls to avoid data breaches. Moreover, continued vigilance will help protect patients’ PHI and maintain HIPAA compliance.
Health organizations process large quantities of protected health information (PHI), making it an appealing target for this type of attack. Aside from disrupting healthcare operations, a ransomware incident could lead to financial fines under the HIPAA Security Rule and reputational damage for the organization.
Healthcare organizations must regularly conduct assessments of risks, have strong access controls, and actively monitor their systems to prevent unauthorized access. Furthermore, using a HIPAA compliant platform, like Paubox, helps mitigate the risk of these cyberattacks.
OCR investigates breaches to determine whether the covered entity adhered to HIPAA’s Privacy, Security, and Breach Notification Rules at the time of the breach. The investigation involves reviews of risk analyses, security policies and procedures, and breach response protocols. Entities found non-compliant could be fined and required to develop corrective action plans.
Go deeper: Who is responsible for enforcing HIPAA?