After looking into a ransomware attack breach, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced today that it has reached a settlement with Plastic Surgery Associates of South Dakota in Sioux Falls for multiple possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The two main cyberthreats in the healthcare industry are ransomware and hacking.
Ransomware is a kind of malicious software, or malware, that is intended to prevent users from accessing their data until a ransom is paid. Typically, this is accomplished by encrypting the data using a key that is only known to the hacker who installed the malware. Since 2018, the number of significant ransomware-related breaches reported to OCR has increased by 264%. OCR has been collaborating with health plans, health care clearinghouses, the majority of healthcare providers, and their business partners to increase awareness of the different kinds of cyberattacks that are taking place and how to strengthen data security throughout October, which is Cybersecurity Awareness Month.
The HIPAA Privacy, Security, and Breach Notification Rules, which are enforced by OCR, outline the standards that business associates and covered entities (health plans, health care clearinghouses, and the majority of healthcare providers) must adhere to in order to safeguard the confidentiality and security of protected health information. National requirements for safeguarding electronic protected health information (ePHI) generated, received, used, or maintained by a covered entity are established under the HIPAA Security Rule. In order to guarantee the confidentiality, integrity, and security of ePHI, suitable administrative, physical, and technical measures are also necessary. OCR’s investigation into Plastic Surgery Associates of South Dakota and this ransomware attack has been concluded by the settlement.
After receiving a breach report from Plastic Surgery Associates of South Dakota in July 2017, OCR opened an investigation after learning that it had found that two servers and nine workstations were infected with ransomware, compromising the protected health information of 10,229 people. Using a brute force attack—a hacking technique that use trial and error to guess passwords, login credentials, encryption keys, etc.—the hacker or hackers gained access to Plastic Surgery Associates of South Dakota’s network. Plastic Surgery Associates of South Dakota was unable to restore the compromised servers from backup after learning about the intrusion.
Numerous possible violations of the HIPAA Security Rule were found during OCR’s investigation. These included failing to perform a compliant risk analysis to identify potential risks and vulnerabilities to ePHI in its systems, putting in place security measures adequate to bring those risks and vulnerabilities down to a reasonable and appropriate level, putting in place procedures to routinely review information system activity records, and putting policies and procedures in place to handle security incidents.
As part of the settlement agreement, Plastic Surgery Associates of South Dakota paid OCR $500,000 and committed to putting in place a corrective action plan that calls for them to take the several corrective actions to address possible HIPAA Security Rule violations and safeguard the security of electronic protected health information, and will submit to routine monitoring for two years.