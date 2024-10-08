The HHS Office for Civil Rights settled two ransomware investigations involving potential HIPAA Security Rule violations and issued civil monetary penalties totaling $490,000. The cases marked OCR's fourth and fifth ransomware enforcement actions, respectively.

The separate settlements involved Cascade Eye and Skin Centers, a practice in Washington State, and California-based Providence Medical Institute. In both settlement announcements, OCR noted that it has seen a 264% increase in large data breaches involving ransomware since 2018.

"Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients' health information," said Melanie Fontes Rainer, OCR director, in a press release accompanying the Providence Medical Institute settlement.

"The health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks."

Cascade Eye and Skin Centers faces $250K penalty In September 2024, following an investigation, OCR imposed a $250,000 civil monetary penalty on Cascade Eye and Skin Centers, a privately owned healthcare provider in Washington state. Cascade suffered a ransomware attack on May 26, 2017. During the ransomware attack, cyberthreat actors held protected health information (PHI) for ransom. The cyberattack affected approximately 291,000 files. OCR launched an investigation after receiving a complaint alleging that Cascade had experienced a ransomware attack. OCR's investigation revealed alleged failures by Cascade to conduct a risk analysis to determine vulnerabilities to PHI in its systems, as well as failure to monitor its health information systems to protect against a cyberattack. In addition to the civil monetary penalty, Cascade agreed to implement a corrective action plan that will be monitored by OCR. Cascade did not admit any wrongdoing but agreed to the terms of the settlement. The corrective action plan requires Cascade to conduct an accurate and thorough risk analysis, implement a risk management plan, establish written policies and procedures for incident response and assign a unique name to identify user identities in systems that contain PHI. Following the settlement, OCR urged all HIPAA-covered entities to safeguard their systems and take precautions to guard against cyberattacks.