U.S. Health Department Settles Landmark HIPAA Ransomware Violation Case

In late October, the U.S. Department of Health and Human Services (HHS) settled a case with a Massachusetts-based medical management company for alleged HIPAA violations, according to an article by Hall Benefits Law. The company, serving as a HIPAA business associate (BA) for covered entities, agreed to pay $100,000 and adhere to a three-year corrective action plan (CAP). This settlement is noteworthy as it is the first to address HIPAA violations stemming from ransomware attacks.

The violations came to light in 2019 when the company reported a ransomware attack on its server two years earlier, exposing the electronic protected health information (ePHI) of over 206,000 individuals. HHS found that the BA breached HIPAA’s Privacy Rule by disclosing ePHI without authorization and the Security Rule by failing to conduct a thorough risk analysis, implement adequate information system activity review procedures, and establish compliant security policies.

The CAP outlines measures the company must take over the next three years to rectify the violations. In terms of HIPAA policy and procedures, the BA is required to revise existing policies, focusing on security awareness, training, and regular review of information system activities. These revised policies must be promptly distributed to all relevant employees, and any noncompliance or sanctions must be reported to HHS.

Training is a key component of the CAP, necessitating the revision of HIPAA training materials and their submission for approval. The BA must provide compliance training to all employees with access to protected health information (PHI), with annual training thereafter. Detailed records of training compliance must be maintained for six years.

Regarding risk analysis and management, the BA must conduct a comprehensive assessment of potential risks and vulnerabilities in its system storing ePHI. This includes inventorying electronic equipment, implementing security measures, and obtaining HHS approval for the risk analysis. The CAP mandates the development of a risk management plan to address identified vulnerabilities, detailing remediation actions, timelines, and evaluation processes, subject to HHS approval.

The three-year plan aims to enhance the company’s adherence to HIPAA regulations, focusing on policies, training, and risk management to safeguard ePHI and prevent future violations.