In March 2023, Northeast Surgical Group, P.C. experienced a data breach impacting thousands of patients as a result of a failure to conduct a risk analysis. The HHS OCR to crack down on similar failures has settled with Northeast Surgical Group.
On January 15, 2025, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Northeast Surgical Group, P.C. (NESG), a surgical services provider in Michigan, over potential violations of the HIPAA Security Rule. The case stemmed from a ransomware attack reported by NESG in March 2023, during which the protected health information (PHI) of 15,298 patients was encrypted and exfiltrated by attackers.
OCR’s investigation revealed that NESG had failed to conduct a compliant risk analysis to identify and address vulnerabilities in its electronic PHI (ePHI) systems. As part of its settlement, NESG agreed to pay $10,000, implement a corrective action plan monitored for two years, and strengthen its compliance with the HIPAA Security Rule. The enforcement action marked OCR’s 10th ransomware-related case and the fourth under the Risk Analysis Initiative.
The OCR Director Melanie Fontes Rainer commented, “One of the first steps in implementing effective cybersecurity in health care is assessing the potential risks and vulnerabilities to electronic protected health information,” said OCR Director Melanie Fontes Rainer. “A failure to conduct a HIPAA risk analysis will leave a health care entity vulnerable to cyberattacks, such as hacking and ransomware—which is bad for our health care system and bad for patients. We can and must do better.”
Common cyber threats include malware, phishing, ransomware, denial-of-service (DoS) attacks, and man-in-the-middle attacks.
A data breach occurs when unauthorized individuals gain access to sensitive information, such as personal data or intellectual property.
Malware, short for malicious software, includes various harmful programs designed to disrupt or damage systems, such as viruses, worms, and trojans.