On July 1, 2024, the Office for Civil Rights (OCR) released details on their recent settlement with Heritage Valley Health System for $950,000 due to noncompliance with the HIPAA Security Rule that was revealed after a ransomware attack. This represents OCR’s third major settlement related to ransomware attacks since 2018, highlighting a 264% increase in large breaches. The investigation uncovered multiple potential violations, leading to a corrective action plan to be monitored by OCR for three years.
Here’s how the prior major settlements were resolved:
- Doctors’ Management Services (DMS): On October 31, 2023, OCR reached its first ransomware-related settlement agreement due to a breach reported by the company, which resulted from a ransomware attack that had gone undetected for almost two years and impacted approximately 206,695 individuals. The agreement included a $100,000 fine for DMS, as well as a three-year corrective action plan.
- Lafourche Medical Group (LMG): On December 7, 2023, OCR announced its first phishing-related settlement agreement, also due to a breach reported by the company, which affected the electronic protected health information of approximately 34,862 individuals. The agreement included a $480,000 fine for LMG and a two-year corrective action plan.
OCR’s recommendations for healthcare organizations, health plan providers, clearinghouses, and business associates include:
- Reviewing contractor and vendor relationships
- Conducting regular risk analyses and integrating risk management into business processes
- Requiring staff training related to cybersecurity and protecting private data
- Utilizing multi-factor authentication and data encryption, along with other security protocols
Clearly, the world of cyber-attacks continues to evolve and create new hurdles for companies and regulatory bodies alike. Ensuring appropriate risk mitigation and remediation strategies are already in place is the best way to get ahead of cyber threats, or to stay in alignment with frequently shifting regulatory requirements that fall under HIPAA or other applicable standards.
While maintaining compliance and protecting data amidst the dawning of the age of AI and increasingly complex cyber threats can seem overwhelming and costly for any business, Blip Business Technologies offers our Managed Compliance as a Service (MCaaS) program to keep your technology systems and data secure and compliant with a multitude of regulatory standards. Learn more about how Blip can protect your business on our Technology Compliance and Security page.
About the Author: Sara is the Compliance and Communications Director at Blip Business Technologies. She has over a decade of compliance experience in various industries, including education and nonprofits. A lifelong learner, Sara holds master’s degrees in communications and business leadership.
