On October 31, 2024, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $500,000 settlement with Plastic Surgery Associates of South Dakota (PSA) following a ransomware attack that compromised more than 10,000 patients protected health information (PHI).
What happened
Following a July 2017 ransomware attack, OCR’s investigation into PSA revealed several HIPAA Security Rule violations. Hackers accessed PSA’s network through a brute force attack, infecting nine workstations and two servers with ransomware. Unable to restore servers from backup, PSA ultimately paid hackers over $27,000 in Bitcoin for decryption keys to regain access to its patients' PHI.
OCR’s findings suggested PSA had not conducted a thorough risk analysis, implemented adequate security measures, or regularly reviewed information system activity. The settlement requires PSA to pay $500,000 and adopt a corrective action plan, which includes conducting a risk analysis, managing security incidents, and revising breach notification policies.
What was said
OCR's press release stated, PSA “demonstrated significant noncompliance with the HIPAA Rules,” with PSA failing to:
- “Conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its PHI.
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Establish and implement policies and procedures for regularly reviewing activity on its information systems that contain electronic PHI.
- Implement policies and procedures to address security incidents.”
Why it matters
With a 264% increase in ransomware breaches since 2018, healthcare organizations must increase their cybersecurity to protect patient data. Specifically, PSA’s corrective actions, like secure PHI backups and multi-factor authentication, should be implemented by all healthcare providers to strengthen defenses.
The bottom line
As breaches become more frequent, healthcare providers must protect sensitive patient data and remain HIPAA compliant. Implementing proactive security measures will help proactively address risks before they lead to costly breaches and settlements.
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
How are regulations like HIPAA changing with new threats?
Regulations are becoming stricter to address new threats like quantum computing. Healthcare organizations must update their encryption practices and use HIPAA compliant platforms like Paubox to avoid these risks.
Does email encryption improve cybersecurity?
Yes, encryption converts email content into a secure format only authorized recipients can access. It prevents unauthorized PHI disclosure that leads to costly data breaches and costly HIPAA fines.
