Providence Medical Institute Pays $240,000 CMP to Resolve Alleged HIPAA Violations
The HHSโ Office for Civil Rights (OCR) has announced its 8th financial penalty of the year to resolve alleged violations of the HIPAA Rules. Providence Medical Institute (PMI) in California has been ordered to pay a civil monetary penalty of $240,000 following an investigation of a ransomware attack that uncovered potential violations of two provisions of the HIPAA Security Rule.
The ransomware attack occurred on February 18, 2018, and involved three separate encryption events. The attacker gained access to the network in a phishing attack and used ransomware to encrypt files. The encrypted files were recovered from backup tapes within a few days; however, the attacker retained access to the network and encrypted files again. The files were restored again, only to be encrypted a third time. The last encryption event involved remote desktop access using administrative credentials thought to have been stolen by the attacker following the initial phishing attack.
OCRโs investigation determined that the electronic protected health information (ePHI) stored on the compromised parts of the network had not been encrypted by Providence Medical Institute and could therefore have been accessed by the ransomware group. The ePHI of approximately 85,000 individuals was compromised in the attack, including names, dates of birth, Social Security numbers, driverโs license numbers, financial information, and health information.
The attack involved the encryption of data on the systems of the Center for Orthopaedic Specialists (COS), an orthopedic medical service provider that was acquired by PMI in July 2016. PMI planned to integrate COS within 2 years; however, the integration was delayed and did not occur until May 2019.ย Around three months after the attack, PMI conducted a post-incident review and identified several security issues that had not been resolved at the time of the attack.
COS was using outdated and unsupported software, had not created a demilitarized zone (DMZ) between the internal network and the public internet, the firewall was not configured to properly track and monitor access/changes to the network, there were Remote Desktop Protocols (RDPs) enabled that allowed remote access to workstations from external sources, and workforce members were sharing generic credentials that allowed administrative-level access to workstations. OCR determined that PMI failed to restrict access to systems containing ePHI to only individuals and software authorized to access those systems, in violation of the 45 C.F.R. ยง 164.312(a)(1) provision of the HIPAA Security Rule. OCR also determined that there was no business associate agreement in place with an IT vendor that had access to COS systems containing ePHI, in violation of 45 C.F.R. ยง 164.308(b) of the HIPAA Security Rule.
Most OCR investigations are resolved through settlements, where the HIPAA-regulated entity is informed of the outcome of the investigation and OCR offers to informally resolve the alleged violations. Settlements typically involve a lower penalty than if the alleged violations are contested and usually require the entity to adopt a corrective action plan. In this case, PMI chose not to settle the alleged violations and provided evidence of mitigating factors; however, OCR determined that the evidence submitted did not constitute an affirmative defense and imposed a civil monetary penalty of $240,000.
โFailures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patientsโ health information,โ said OCR Director Melanie Fontes Rainer. โThe health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.โ