HHS Civil Rights Office Reaches $450,000 Settlement with Health Plan Following Ransomware Attack

Agreement marks OCR’s 20th ransomware enforcement action and 14th action under its Risk Analysis InitiativeHHS Civil Rights Office Reaches $450,000 Settlement with Health Plan Following Ransomware Attack

The U.S. Department of Health and Human Services’ Office for Civil Rights has reached a settlement with the Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans over potential violations of federal health information privacy and security requirements.

The employer-sponsored group health plan, operated by national retailer Spencer Gifts LLC, agreed to pay $450,000 and implement a two-year corrective action plan monitored by OCR.

The settlement concerns potential violations of the Health Insurance Portability and Accountability Act’s Privacy and Security Rules following a 2021 ransomware attack.

“Effective cybersecurity starts with Security Rule compliance, ensuring that Security Rule provisions are implemented before a cyberattack occurs,” OCR Director Paula M. Stannard said. “Regulated entities—including covered group health plans—should ensure these protections are firmly in place well before a cyberattack occurs, so the privacy and security of individuals’ health information remain safeguarded.”

OCR enforces the HIPAA Privacy, Security and Breach Notification Rules. These rules require covered entities and their business associates to protect the privacy and security of protected health information.

The HIPAA Security Rule also requires regulated organizations to conduct accurate and thorough assessments of the risks and vulnerabilities that could affect the confidentiality, integrity and availability of electronic protected health information, or ePHI.

Ransomware attack affected more than 10,000 people

OCR began its investigation after the health plan submitted a breach report on January 24, 2022.

The incident came to light after employees reported that they could not connect to the company’s virtual private network. The health plan subsequently determined that an unauthorized actor had gained access to the company’s network in November 2021 and deployed ransomware.

The attack encrypted data stored on company systems, including servers containing the health plan’s protected health information. The attacker also demanded a ransom.

The breach potentially affected the information of 10,023 individuals. Exposed data may have included health plan members’:

  • Names
  • Mailing addresses and ZIP codes
  • Telephone numbers
  • Email addresses
  • Social Security numbers

OCR’s investigation found that the health plan may have violated the HIPAA Privacy and Security Rules by failing to conduct an accurate and thorough risk analysis before the attack. OCR also found that the plan may not have implemented reasonable and appropriate policies and procedures required under the HIPAA Privacy, Security and Breach Notification Rules.

Corrective actions required

In addition to paying the $450,000 settlement, the health plan agreed to complete several corrective measures during the two-year monitoring period.

The plan must:

  • Conduct a comprehensive risk analysis to identify risks and vulnerabilities affecting its ePHI.
  • Review and revise its privacy, security and breach-notification policies and procedures as necessary to comply with HIPAA.
  • Ensure that all workforce members receive appropriate training on those policies and procedures.

OCR recommends stronger cybersecurity safeguards

OCR urged healthcare providers, health plans, healthcare clearinghouses and business associates to take proactive steps to reduce the risk of ransomware attacks and other cyberthreats.

Recommended measures include:

  • Identifying where ePHI is stored and documenting how it enters, moves through and leaves the organization’s information systems.
  • Conducting and regularly updating risk analyses.
  • Developing risk-management plans that address identified threats to ePHI.
  • Maintaining audit controls that record and examine information-system activity.
  • Regularly reviewing system activity for signs of unauthorized access.
  • Using authentication controls to ensure that only authorized individuals can access ePHI.
  • Encrypting ePHI both in transit and at rest when appropriate.
  • Incorporating lessons learned from security incidents into the organization’s security-management program.
  • Providing regular, organization-specific HIPAA training tailored to employees’ job responsibilities.

The resolution agreement and corrective action plan are available through the Office for Civil Rights https://www.hhs.gov/sites/default/files/ocr-ra-cap-spencer.pdf