Data Hosting Provider Settles Alleged Risk Analysis HIPAA Violation for $90,000
A Virginia data hosting and cloud service provider that suffered a ransomware attack has agreed to settle an alleged violation of the HIPAA Security Rule with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for $90,000.
Virtual Private Network Solutions LLC provided services to multiple HIPAA-covered entities, which involved the storage of electronic protected health information (ePHI). On October 31, 2021, a ransomware group gained access to its server infrastructure and encrypted files, including ePHI such as names, addresses, dates of birth, driverโs license information, social security numbers, other identifiers, claim information, bank account numbers, other financial information, diagnoses/conditions, lab results, medications, and other treatment information.
Virtual Private Network Solutions reported the data breach to OCR in December 2021 on behalf of 12 of its covered entity clients as a breach of the ePHI of 6,400 individuals. Other clients were also affected but issued their own notifications. OCR investigated the breach and determined that Virtual Private Network Solutions had not conducted a HIPAA-compliant risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
Usually, when an OCR investigation uncovers a HIPAA violation severe enough to warrant a financial penalty, OCR gives the HIPAA-regulated entity the opportunity to resolve the matter informally. Settlements involve a lower financial penalty and require no admission of liability. Virtual Private Network Solutions chose to settle and paid a financial penalty. The settlement agreement also requires Virtual Private Network Solutions to adopt a corrective action plan (CAP) to address potential noncompliance issues and one year of compliance monitoring by OCR.
The CAP requires Virtual Private Network Solutions to conduct a comprehensive, organization-wide risk analysis to identify risks and vulnerabilities to ePHI and develop and implement a plan to reduce any identified risks to a low and acceptable level.ย Policies and procedures must be reviewed, developed, and revised as necessary to comply with the HIPAA Rules, which must cover risk analyses, risk management, security awareness and training, security incident procedures, and the establishment of a data backup plan to ensure that ePHI can be recovered in the event of a disaster, and procedures for issuing notification rules per the requirements of the HIPAA Breach Notification Rule.
This was OCRโs 9th investigation of a ransomware attack to result in a financial penalty and the third enforcement action under OCRโs risk analysis enforcement initiative.