On October 31, 2024, the U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”) announced a $500,000 settlement with Plastic Surgery Associates of South Dakota (“PSA”) concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. This settlement follows an extensive investigation of PSA triggered by a ransomware attack that compromised the protected health information (“PHI”) of more than 10,000 individuals and the required disclosure of the breach by PSA to OCR.
What you need to know:
- OCR is dedicated to addressing ransomware incidents and ensuring compliance with HIPAA.
- Investigations conducted by OCR can lead to costly settlements and continued oversight of a HIPAA covered entity’s HIPAA compliance.
- In order to mitigate or prevent cyber-attacks, HIPAA-covered entities and business associates are required to abide by the regulations in the HIPAA Security Rule and Privacy Rule.
In July 2017, PSA was the victim of a ransomware attack that infected nine of its workstations and two of its servers, affecting the PHI of 10,229 PSA patients. Hackers accessed PSA’s network through a brute force attack, which is a hacking technique that systematically guesses passwords to gain unauthorized access. Once inside, the attackers deployed ransomware, and PSA was unable to restore the affected servers from backup. Ultimately, PSA made two bitcoin ransom payments totaling in excess of $27,000 in exchange for decryption keys from the hackers to regain access it its patients PHI.
OCR’s subsequent investigation of PSA suggested that PSA had failed to: (i) conduct an accurate risk analysis to identify vulnerabilities in its electronic protected health information (“ePHI”) systems, (ii) implement sufficient security measures to mitigate identified risks and vulnerabilities to ePHI, and (iii) establish procedures to regularly review information system activity and respond to security incidents.
As a part of the settlement, PSA agreed to pay $500,000 to OCR and entered into a two-year comprehensive corrective action plan and PSA has agreed to do each of the following:
- conduct an accurate and thorough risk analysis of its ePHI;
- develop a written risk management plan to address and mitigate identified risks effectively;
- implement policies and procedures for responding to security incidents, including processes for identifying, documenting, and mitigating the effects of such incidents;
- establish methods to create and maintain secure backups of ePHI, including regular testing;
- implement policies to ensure that only authorized individuals have access to ePHI;
- revise its HIPAA policies and procedures to train its workforce on understanding the circumstances under which PHI may be used or disclosed, how to identify impermissible uses and disclosures of PHI, and how to report potential violations; and
- revise its breach notification policies to ensure timely communication with affected individuals and relevant authorities after a breach occurs.
This PSA settlement reiterates the increasing prevalence of ransomware and other cyber threats in the health care sector. As noted in the HHS OCR press release announcing the PSA settlement, since 2018, there has been a staggering 264% increase in reported ransomware-related breaches, prompting OCR to enhance its outreach and education efforts regarding cybersecurity.
A copy of the PSA corrective action plan can be accessed here: Plastic Surgery Associates of South Dakota Resolution Agreement and Corrective Action Plan.
In light of the continuous e-security threats confronting health care providers and other parties, the OCR press release highlighting the PSA settlement suggested “the following steps to mitigate or prevent cyber-threats:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on a regular basis; reinforce workforce members’ critical role in protecting privacy and security.”
The PSA settlement with OCR was certainly not a ‘treat’ for PSA and, in addition to the significant payment made to OCR was likely a costly and long process for this medical practice.
Saul Ewing regularly assists covered entities and business associates with respect to HIPAA compliance issues, breach responses, business associate agreements, and drafting and updating HIPAA policies and procedures.
Saul Ewing’s Health Care Practice is thrilled to welcome new associate colleague and alert co-author, Bunyad Bhatti, who is resident in the firm’s Princeton office. Bunyad represents health care providers and facilities in matters including regulatory compliance, corporate governance and mergers and acquisitions. Welcome, Bunyad!