OCR Settles Ransomware Attack Investigation with Washington Healthcare Provider

Cascade Eye and Skin Centers HIPAA Settlement - hipaaguide.net

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced a settlement has been reached with a Washington healthcare provider to resolve violations of the HIPAA Security Rule that were uncovered during an investigation of a ransomware-related data breach.

Cascade Eye and Skin Centers, P.C., a privately-owned healthcare provider in the state of Washington, experienced a ransomware attack in March 2017 that saw an unauthorized third party gain access to a network server where around 291,000 files were stored that contained electronic protected health information. OCR said it learned of the attack on May 26, 2017, and launched an investigation to determine if the healthcare provider was compliant with the HIPAA Rules.

OCRโ€™s investigation uncovered potential violations of provisions of the HIPAA Security Rule โ€“ The requirement to conduct a comprehensive, accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) – 45 C.F.R. ยง 164.308(a)(1)(ii)(A) – and the requirement to implement procedures to regularly review records of information system activity – 45 C.F.R. ยง 164.308(a)(l)(ii)(D).

Cascade Eye and Skin Centers chose to settle the alleged violations with no admission of wrongdoing or liability and agreed to pay a $250,000 financial penalty and adopt a corrective action plan.ย  OCR will monitor Cascade Eye and Skin Centers for compliance with that plan for a period of 2 years.ย The corrective action plan includes the requirement to conduct a comprehensive risk analysis, implement a risk management plan, develop a process for reviewing records of activity in information systems, develop procedures for responding to an emergency, assign a unique name and/or number for identifying and tracking user identity in its systems that contain ePHI, and review and revise its written policies to comply with the HIPAA Privacy and Security Rules.

โ€œCybercriminals continue to target the [health] care sector with ransomware attacks. Health care entities that do not thoroughly assess the risks to electronic protected health information and regularly review the activity within their electronic health record system leave themselves vulnerable to attack, and expose their patients to unnecessary risks of harm,โ€ said OCR Director Melanie Fontes Rainer. โ€œEnsuring the confidentiality of electronic protected health information is critical to protect health information privacy and integral to our national security in the health care sector. OCR urges all health care entities to take the essential precautions and stay vigilant to safeguard their systems from cyberattacks.โ€

OCR said there has been a 264% increase in large data breaches from ransomware attacks since 2018, and all HIPAA-regulated entities should take steps to improve cybersecurity. OCR recommends the following cybersecurity measures:

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist
  • Review vendor and contractor relationships to ensure business associate agreements are in place and address breach/security incident obligations.
  • Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
  • Ensure audit controls are in place to record and examine information system activity.
  • Implement regular review of information system activity.
  • Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI to guard against unauthorized access to ePHI.
  • Incorporate lessons learned from incidents into the overall security management process.
  • Provide training specific to the organization and job responsibilities and, on a regular basis, reinforce workforce membersโ€™ critical role in protecting privacy and security.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/