Employer-sponsored Health Plan Pays $450K HIPAA Penalty
An investigation of a ransomware attack on the U.S. retailer Spencer Gifts that exposed the electronic protected health information (ePHI) of more than 10,000 members of its employer-sponsored health plan uncovered potential violations of the HIPAA Rules. Those alleged violations have been resolved with a $450,000 financial penalty. Spencer Gifts has also agreed to adopt a corrective action plan to address the areas of noncompliance discovered by the HHS’ Office for Civil Rights (OCR) while investigating the data breach.
The HIPAA investigation was launched after OCR received a report on January 24, 2022, about a breach of the unsecured protected health information of 10,023 members of Spencer Gift’s Flexible Benefits and Welfare Benefit Plans. A ransomware group had gained access to its network on November 24, 2021, and retained access until the attack was identified on November 26, 2021. The ransomware group encrypted files, and potentially viewed or exfiltrated ePHI such as names, contact information, dates of birth, and Social Security numbers.
HIPAA-regulated entities must implement safeguards to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level. In order for risks to be mitigated, HIPAA-regulated entities must first identify those risks and vulnerabilities. OCR is targeting noncompliance with the risk analysis implementation specification of the HIPAA Security Rule, as it is a critical first step toward safeguarding ePHI.
OCR determined that Spencer Gifts had not conducted a comprehensive and accurate risk analysis, and prior to the ransomware attack and data breach, had not implemented reasonable and appropriate policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules.
OCR informed Spencer Gifts about the outcome of its investigation and the intention to impose a financial penalty to resolve the alleged HIPAA violations. Spencer Gifts opted to settle the alleged violations and agreed to pay a financial penalty and adopt a corrective action plan. The corrective action plan requires Spencer Gifts to conduct a comprehensive and accurate risk analysis, develop and implement HIPAA policies and procedures, and conduct staff training on the new policies and procedures.
This was OCR’s 20th ransomware-related OCR enforcement action and its 14th financial penalty under its risk analysis enforcement initiative. HIPAA-regulated entities should note that OCR is expanding the risk analysis enforcement initiative to also cover risk management. In the event of a data breach, complaint, or compliance review, OCR will also want to see evidence that all identified risks have been identified via a risk analysis and been assessed, prioritized, and remediated in a timely manner.
“Effective cybersecurity starts with Security Rule compliance, ensuring that Security Rule provisions are implemented before a cyberattack occurs,” said OCR Director Paula M. Stannard. “Regulated entities — including covered group health plans — should ensure these protections are firmly in place well before a cyberattack occurs, so the privacy and security of individuals’ health information remain safeguarded.”
