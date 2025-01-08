The HHS Office for Civil Rights settled two ransomware investigations, both of which involved HIPAA risk analysis gaps. The settlements, one involving Elgon Information Systems and the other involving Virtual Private Network Solutions, mark OCR's eighth and ninth ransomware investigations and its second and third enforcement actions under its risk analysis initiative.

OCR created the risk analysis initiative to highlight the importance of complying with the HIPAA Security Rule's risk analysis provisions and to increase the number of completed investigations.

"A HIPAA compliant risk analysis is not only required under the law, but is also an essential step in effective cybersecurity," said OCR Director Melanie Fontes Rainer. "The best defense to cyberattacks, such as hacking and ransomware, is ensuring that potential risks and vulnerabilities to electronic protected health information have been assessed."

HHS reaches $80,000 settlement with Elgon Information Systems HHS reached a $80,000 settlement with Elgon Information Systems, a Massachusetts-based electronic medical record and billing support vendor, following a March 2023 ransomware attack and data breach that affected more than 31,000 individuals. Elgon suffered a ransomware attack on March 25, 2023, when an unknown party accessed a server on its information system via open ports on Elgon's firewall. Elgon discovered the ransomware attack on March 31, 2023, when it discovered a ransom note. The data breach involved clinical and demographic data. OCR launched an investigation and determined that Elgon failed to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities to electronic protected health information (ePHI). Elgon agreed to the settlement and a corrective action plan to address these deficiencies. Under the corrective action plan, Elgon will review its risk analysis processes to protect ePHI, update its enterprise-wide risk management plan, review written policies and procedures to comply with the HIPAA Privacy Rule and the HIPAA Security Rule and provide workforce training.