Plastic Surgery Practice Pays $500,000 Penalty to Settle Alleged HIPAA Violations
Plastic Surgery Associates of South Dakota was investigated by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) over a 2017 ransomware attack and data breach involving the electronic protected health information (ePHI) of 10,229 patients. OCR identified multiple potential violations of the HIPAA Rules and agreed to a $500,000 settlement to resolve the alleged non-compliance issues. This is OCRโs sixth investigation of a ransomware-related data breach to result in a financial penalty for noncompliance with the HIPAA Rules.
Many healthcare providers have implemented safeguards to secure their networks and data only to have those defenses breached. It may not always be possible to prevent ransomware attacks; however, compliance with the HIPAA Security Rule can make it much harder for malicious actors to breach networks and gain access to ePHI, as well as limit the severity of attacks and ensure that systems and data can be recovered in the shortest possible time frame with minimal disruption of healthcare operations.
According to OCR, large data breaches due to hacking incidents have increased by 256% in the past 5 years and data breaches due to ransomware attacks have increased by 264% over the same period. Since OCR investigates all large data breaches to assess whether the breached entity was fully HIPAA compliant prior to the security incident, any ransomware attack or data breach is likely to see noncompliance issues uncovered.
โRansomware attacks often reveal a providerโs underlying failures to comply with the HIPAA Security Rule requirements such as conducting a risk analysis or managing identified risks and vulnerabilities to health information,โ said OCR Director Melanie Fontes Rainer. โSuch failures can make our doctors and hospitals attractive targets for cyberattacks and can lead to break downs in our health care system.โ
That was the case with Plastic Surgery Associates of South Dakota. OCR launched an investigation of the February 12, 2017 ransomware attack after being notified about a breach of ePHI on July 27, 2017.ย Hackers had gained access to the network using brute force tactics on Remote Desktop Protocol (RDP). Files were encrypted on two servers and nine workstations and the servers could not be recovered from backups, leaving the plastic surgery provider no other option than paying the ransom. Two ransom demands were paid totaling $27,399.97.
OCR investigated and identified multiple potential noncompliance issues. Plastic Surgery Associates of South Dakota had failed to implement policies and procedures to prevent, detect, contain, and correct security violations, including one of the most commonly identified noncompliance issues โ the failure to conduct an accurate and thorough risk analysis. OCR also identified a failure to implement sufficient security measures to reduce risk and vulnerabilities to a reasonable and appropriate level, a failure to establish and implement policies and procedures for reviewing activity in information systems containing ePHI, and a failure to implement policies and procedures to address security incidents.
The corrective action plan includes measures to correct all these issues. Further, OCR stipulated that backup policies and procedures must be implemented to ensure that an exact copy of ePHI can be recovered, authentication mechanisms are implemented to ensure that a person seeking authorized access is who they claim to be, to implement policies and procedures for uses and disclosures of ePHI and train the workforce on those procedures, and to revise its breach notification policies and procedures to ensure that notifications are issued no later than 60 days from the date of discovery of a data breach.