Earlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $240,000 civil monetary penalty against Providence Medical Institute in Southern California, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following a ransomware attack breach report investigation by OCR.
In a news release, OCR stated it had initiated an investigation following the receipt of a breach report filed by Providence Medical Institute in April 2018. In the report, Providence noted that its systems were impacted by a series of ransomware attacks that affected the electronic protected health information (ePHI) of 85,000 persons.
OCR’s investigation determined that servers containing ePHI were encrypted with ransomware three times. Two potential violations of the HIPAA Security Rule were revealed, including failure to have a business associate agreement in place and failure to implement policies and procedures to allow only authorized people or software programs access to ePHI.
Per the news release, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty in March of 2024. Providence Medical Institute waived its right to a hearing and did not contest the findings. OCR imposed a civil penalty of $240,000.
HHS reported a 264 percent increase in significant breaches involving ransomware attacks reported to OCR since 2018.
“Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information,” said OCR Director Melanie Fontes Rainer in a statement. “The healthcare sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all healthcare entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.”
