OCR Settles Ransomware Investigation and Agrees $80,000 Penalty for Risk Analysis Failure
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced another settlement under its HIPAA risk analysis enforcement initiative. This is OCR’s 8th ransomware-related data breach investigation to result in a financial penalty. Elgon Information Systems, a Massachusetts-based electronic medical record and billing service vendor, fell victim to a ransomware attack in March 2023 that resulted in the ransomware group gaining access to parts of its systems that stored the electronic protected health information (ePHI) of 31,248 individuals.
Initial access to the network was gained via open ports in its firewall on March 25, 2023; however, the intrusion was not detected for 6 days. Elgon learned of the attack when files were encrypted and a ransom note was discovered. OCR was notified about the data breach in June 2023 and an investigation was launched to determine if Elgon was compliant with the HIPAA Security Rule. OCR determined that Elgon had not conducted a comprehensive risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. § 163.308(a)(1)(ii)(A) of the HIPAA Security Rule. Elgon chose to settle the alleged HIPAA Security Rule violation with no admission of wrongdoing, paid an $80,000 financial penalty, and agreed to adopt a corrective action plan to improve its risk analysis process. OCR will monitor Elgon for compliance with the HIPAA Rule for 3 years.
The risk analysis is one of the most important provisions of the HIPAA Security Rule as it is essential for effective cybersecurity and the protection of ePHI, yet it is one of the most commonly identified HIPAA violations. Many HIPAA-regulated entities conduct a risk analysis and address the risks and vulnerabilities they discover, but fail to identify all risks and vulnerabilities as the risk analysis does not cover all devices and locations of ePHI, meaning risks and vulnerabilities are missed and not subjected to risk management processes.
In the most recent round of HIPAA Security Rule audits, OCR found that most audited entities were not fully compliant with the HIPAA Security Rule’s risk analysis and risk management requirements. OCR commonly identifies risk analysis failures when investigating healthcare data breaches, hence the enforcement initiative focusing on risk analysis compliance.
OCR has clarified in its proposed HIPAA Security Rule update that HIPAA-regulated must maintain an accurate inventory of technology assets, determine how ePHI moves through information systems, and identify all locations within information systems where ePHI may be created, received, maintained, or transmitted as part of the risk analysis process. “A HIPAA-compliant risk analysis is not only required under the law, but is also an essential step in effective cybersecurity,” said OCR Director Melanie Fontes Rainer. “The best defense to cyberattacks, such as hacking and ransomware, is ensuring that potential risks and vulnerabilities to electronic protected health information have been assessed.”