HHS Settles HIPAA Security Violations with Healthcare Provider Following Ransomware Attack

The Department of Health and Human Services (HHS) reached a settlement over potential HIPAA Security Rule violations following a ransomware attack on a healthcare provider operating in Pennsylvania, Ohio, and West Virginia. The provider will pay $950,000 and adhere to a three-year corrective action plan (CAP), monitored by HHS.

The settlement stems from an October 2017 compliance review initiated after media reports of a ransomware incident. HHS found the provider failed to conduct a comprehensive risk analysis, establish emergency response procedures, and implement access control policies for electronic protected health information (ePHI).

The CAP mandates a thorough risk analysis covering all facilities and electronic systems containing ePHI, development of a risk management plan, and periodic reviews of HIPAA policies. Additionally, the provider must submit annual reports to HHS and maintain documentation for six years.

Revised HIPAA policies must address risk management, information system activity review, password management, contingency planning, access control, and business associate agreements. These policies require HHS approval and distribution to all relevant personnel, with annual updates as necessary.

The provider must also revise and implement HIPAA training materials, ensuring all workforce members receive training and certification. Noncompliance events must be promptly investigated and reported to HHS.

HHS highlighted the increasing threat of cyberattacks in healthcare, noting a significant rise in ransomware breaches. The settlement underscores the need for covered entities and business associates to adopt best practices to mitigate cyber risks.