The Indiana Attorney General has agreed to a $250,000 settlement with Schneck Medical Center. The settlement resolves alleged violations of HIPAA and state laws that contributed to a 2021 ransomware attack in which the protected health information of almost 90,000 Indiana residents was stolen.
On or around September 29, 2021, Schneck Medical Center experienced a ransomware attack. Prior to file encryption, the threat actor exfiltrated files containing the PHI of 89,707 state residents. The types of information stolen in the attack included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, payment card information, diagnoses, and health insurance information.
The Indiana Attorney General investigated the breach and identified multiple security failures. As required by HIPAA, Schneck Medical Center conducted a risk analysis in December 2020 to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI); however, the risk analysis was not accurate and thorough. While the risk analysis identified multiple critical security issues, Schneck Medical Center failed to address them and reduce them to a low and acceptable level.
Procedures had not been implemented for guarding against, detecting, and reporting malicious software, monitoring logins, and creating, changing, and safeguarding passwords. Technical policies had not been implemented for electronic information systems that contained ePHI, and hardware, software, and procedural mechanisms had not been implemented for recording and examining activity in information systems. Procedures had not been implemented to verify that a person seeking access to ePHI is who they claim to be, and there were insufficient policies and procedures for addressing security incidents.
When a data breach occurs, victims of the breach must be notified. The HIPAA Breach Notification Rule requires individual notifications to be issued within 60 days of the discovery of a data breach, yet it took more than 225 days from the discovery of the breach for notification letters to be issued. Schneck Medical Center did publish statements on its website about the cyberattack, the first of which was added promptly on September 29, 2021; however, Schneck Medical Center did not disclose that protected health information had been exposed, despite knowing that PHI had been stolen. In a November 2021 update, Schneck Medical Center confirmed that files had been stolen but did not say those files included protected health information. Further, Schneck Medical Center’s substitute breach notification, published on May 13, 2022, misrepresented the date of discovery of the data breach, saying data theft was confirmed on March 17, 2022, when Schneck Medical Center knew on September 29, 2023, that data had been stolen.
The Indiana Attorney General alleged violations of the HIPAA Security Rule, HIPAA Breach Notification Rule, and an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule. Schneck Medical Center is also alleged to have violated the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act. In addition to the financial penalty, the settlement details the technical security measures that must be implemented. Schneck Medical Center must implement an information security program within 90 days that addresses all of the identified security issues, an incident response plan must be developed and implemented to ensure a compliant response to future security incidents, and data security and privacy HIPAA training must be provided to all personnel with access to personal information or protected health information.
Two class action lawsuits were also filed in response by patients who had their protected health information stolen in the attack. The lawsuits were consolidated and recently settled for $1.3 million.