On October 31, 2024, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced a resolution agreement and corrective action plan with Plastic Surgery Associates of South Dakota in Sioux Falls (“PSASD”) stemming from the organization’s failure to comply with the HIPAA Security Rule. In July 2017, PSASD notified OCR of the breach. PSASD’s breach report indicated that in February 2017, nine workstations and two servers were infected with ransomware, impacting the protected health information (“PHI”) of 10,229 individuals. The threat actor gained access to PSASD’s network using a brute force attack on the company’s remote desktop protocol. PSASD was unable to restore the affected servers from backups and made two Bitcoin payments, which totaled $27,399.97, to the threat actor in exchange for decryption keys.
OCR’s subsequent investigation indicated multiple potential violations of the HIPAA Security Rule, including PSASD’s failure to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to electronic PHI (“ePHI”) in its systems, implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, implement procedures to regularly review records of information system activity, and implement policies and procedures to address security incidents.
The resolution agreement requires PSASD to pay $500,000 to OCR and implement a corrective action plan that OCR will monitor for two years, including the following measures:
- Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity and availability of its ePHI, including a comprehensive asset inventory to be completed prior to the risk analysis;
- Implementing a written risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
- Implementing policies and procedures to address security incidents, including (1) a process for identifying and responding to known security incidents, (2) mitigating, to the extent practicable, harmful effects of known security incidents, and (3) documenting (in writing) security incidents and their outcomes;
- Implementing policies and procedures to establish methods to create and maintain retrievable exact copies of ePHI, including a process to (1) test the recoverability of backups on a regular basis to ensure that a retrievable exact copy will be available, (2) create and maintain multiple copies of encrypted backups, and (3) securely store backups in differing locations;
- Implementing policies and procedures to verify the identity of a person or entity seeking access to ePHI;
- Implementing policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights;
- Revising its policies and procedures relating to the uses and disclosures of PHI to ensure that its workforce members understand (1) the circumstances under which PHI may be used and disclosed, (2) how to identify situations that constitute impermissible uses and disclosures of PHI, and (3) how and when to report situations that might constitute impermissible uses and/or disclosures of PHI;
- Revising its breach notification policies and procedures to ensure that its workforce members understand that, following a breach of unsecured PHI, affected individuals must be notified without unreasonable delay and in no case later than 60 (sixty) calendar days after the discovery of the breach, and that notification must be made to the HHS Secretary and, in certain circumstances, to the media; and
- Training its workforce on HIPAA policies and procedures.
The same day, OCR also announced a resolution agreement and corrective action plan with Bryan County Ambulance Authority (“BCAA”), an Oklahoma-based provider of emergency medical services. In May 2022, OCR received a breach report regarding a November 2021 ransomware incident. The report indicated that the incident impacted the PHI of approximately 14,273 patients. OCR subsequently launched an investigation and determined that BCAA failed to conduct a conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in BCAA’s systems in accordance with the HIPAA Security Rule.
Pursuant to the resolution agreement, BCAA agreed to pay $90,000 and enter into a corrective action plan that OCR will monitor for three years, including:
- Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI, including a complete asset inventory;
- Implementing an enterprise-wide risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
- Developing, maintaining distributing, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
- Training its workforce on its HIPAA policies and procedures.
The settlements mark the sixth and seventh OCR enforcement actions related to ransomware attacks (read our previous coverage on Cascade Eye and Skin Centers, P.C. and Providence Medical Institute). The BCAA settlement also is the first enforcement action in OCR’s Risk Analysis Initiative. OCR’s Risk Analysis Initiative was “created to focus select investigations on compliance with the HIPAA Security Rule Risk Analysis provision, a key Security Rule requirement, and the foundation for effective cybersecurity and the protection of electronic protected health information (ePHI).” Read more information on OCR’s Security Risk Assessment Tool, which provides helpful insight into how OCR views the HIPAA Risk Analysis requirement.
Search
Recent Posts
- Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act
- HHS Announces Additional Settlements Following Ransomware Attacks Including First Enforcement Under Risk Analysis Initiative
- Employee Monitoring: Increased Use Draws Increased Scrutiny from Consumer Financial Protection Bureau
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code