The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) made a decision regarding its investigation of a South Dakota plastic surgery practice’s ransomware attack. This is the sixth ransomware investigation by OCR that has resulted in a financial penalty.
According to OCR, ransomware-related big data breaches increased by 264% since 2018 because ransomware groups have focused their attacks on healthcare organizations. OCR looks into all big data breaches and has stopped investigating some ransomware-related breaches without seeking civil monetary penalties. OCR pursues financial penalties if it confirms non-compliance with HIPAA rules. In several guidance reports and video demonstrations, OCR has mentioned that HIPAA Security Rule compliance enhances protection against ransomware attacks, enables covered entities to identify the outset of attacks, and restricts the extent of attacks.
Ransomware attacks usually expose a provider’s inability to follow the HIPAA Security Rule requirements, such as performing a risk assessment or handling identified risks and threats to health data. Because of such issues, doctors and hospitals become appealing targets for cybercriminals, which can result in problems in the health care system.
The ransomware attack that prompted the investigation happened in February 2017. Plastic Surgery Associates of South Dakota notified OCR about the security breach in July 2017 and was advised that the ransomware attack impacted the two servers and nine workstations that store the protected health information (PHI) of 10,229 people. Plastic Surgery Associates of South Dakota could not re-establish the server using backups, hence it was decided to pay the $53,000 ransom with two Bitcoin payments.
The ransomware group acquired access to the internal system utilizing brute force tactics to figure out the login details for remote desktop protocols. Covered entities can avoid brute force attacks by implementing remote access through a VPN, using strong and unique passwords, applying multifactor authentication, and tracking unsuccessful login attempts.
OCR’s investigation discovered major noncompliance with the HIPAA Rules just like in several cases of OCR’s ransomware investigations. The plastic surgery practice did not carry out a proper and complete risk analysis to determine possible risks and problems to electronic protected health information (ePHI) and did not enforce policies and protocols to avoid, identify, control, and address security violations. The inability to determine risks and vulnerabilities indicates that the entity did not implement proper security measures to lessen risks and weaknesses.
Under the HIPAA Security Rule, covered entities must implement policies and procedures for the routine audit of activities in data systems that store ePHI. However, Plastic Surgery Associates of South Dakota did not enforce those policies and procedures. There are also no policies and procedures for dealing with security events. Plastic Surgery Associates of South Dakota opted not to question the discoveries and consented to a settlement, without admitting liability or wrongdoing. The settlement includes the payment of a $500,000 financial penalty, a corrective action plan to take care of the noncompliance, and two years of supervision ascertaining the provider follows the corrective action plan.
The corrective action plan requires the following action from Plastic Surgery Associates of South Dakota:
- perform a comprehensive risk analysis
- create and execute a written risk management plan to minimize the identified risks
- enforce policies and procedures for security incident response
- follow policies and procedures to set up and keep recoverable backups of ePHI
- enforce policies and procedures for confirming identities and limiting ePHI access
- create written policies on ePHI uses and disclosures
- upgrade breach notification policies and procedures
- provide HIPAA training to employees
Reporting the data breach, OCR told HIPAA-covered entities the relevance of the HIPAA Security Rule and taking action to minimize and stop cyber threats. HIPAA-covered entities can still enhance security by applying the cybersecurity steps mentioned in the HHS Cybersecurity Performance Goals (CPGs). This is OCR’s 10th OCR enforcement action in 2024 with a financial penalty and the third-biggest fine this year. OCR has required $7,050,200 in penalties to settle the HIPAA violations.