Earlier this month, the U.S. Division of Well being and Human Companies (HHS) Workplace for Civil Rights (OCR) introduced a $240,000 civil financial penalty towards Windfall Medical Institute in Southern California, regarding potential violations of the Well being Insurance coverage Portability and Accountability Act of 1996 (HIPAA) Safety Rule, following a ransomware assault breach report investigation by OCR.
In a information launch, OCR acknowledged it had initiated an investigation following the receipt of a breach report filed by Windfall Medical Institute in April 2018. Within the report, Windfall famous that its methods have been impacted by a collection of ransomware assaults that affected the digital protected well being info (ePHI) of 85,000 individuals.
OCR’s investigation decided that servers containing ePHI have been encrypted with ransomware thrice. Two potential violations of the HIPAA Safety Rule have been revealed, together with failure to have a enterprise affiliate settlement in place and failure to implement insurance policies and procedures to permit solely approved folks or software program applications entry to ePHI.
Per the information launch, OCR issued a Discover of Proposed Dedication searching for to impose a civil cash penalty in March of 2024. Windfall Medical Institute waived its proper to a listening to and didn’t contest the findings. OCR imposed a civil penalty of $240,000.
HHS reported a 264 % improve in important breaches involving ransomware assaults reported to OCR since 2018.
“Failures to totally implement all the HIPAA Safety Rule necessities leaves HIPAA coated entities and enterprise associates weak to cyberattacks on the expense of the privateness and safety of sufferers’ well being info,” stated OCR Director Melanie Fontes Rainer in an announcement. “The healthcare sector must get severe about cybersecurity and complying with HIPAA. OCR will proceed to face up for affected person privateness and work to make sure the safety of well being info of each particular person. On behalf of OCR, I urge all healthcare entities to all the time keep alert and take each precaution and steps to maintain their methods protected from cyberattacks.”
