The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a $240,000 civil monetary penalty against Providence Medical Institute in Southern California. This penalty follows an investigation into potential Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule violations prompted by a ransomware attack. Since 2018, ransomware attacks reported to OCR have increased by 264%.

“Failing to implement all HIPAA Security Rule requirements fully leaves covered entities and business associates vulnerable to cyberattacks, compromising patient health information privacy and security,” said OCR Director Melanie Fontes Rainer. “The healthcare sector must take cybersecurity seriously and comply with HIPAA. OCR will continue to protect patient privacy and ensure health information security. I urge all healthcare entities to stay vigilant and take every necessary step to protect their systems from cyberattacks.”

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which require covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and business associates to protect the privacy and security of protected health information. The HIPAA Security Rule sets national standards for protecting electronic personal health information (ePHI) and mandates administrative, physical, and technical safeguards to ensure confidentiality, integrity, and security. The civil monetary penalty resolves OCR’s investigation into Providence Medical Institute’s compliance with the HIPAA Security Rule.

The investigation began after Providence Medical Institute reported a breach in April 2018 involving ransomware attacks that affected the ePHI of 85,000 individuals between February and March 2018. The investigation revealed that servers containing ePHI were encrypted by ransomware three times. OCR identified two potential HIPAA Security Rule violations: the lack of a business associate agreement and failure to implement policies and procedures restricting access to ePHI to authorized individuals or software programs.

In March 2024, OCR issued a Notice of Proposed Determination to impose a civil monetary penalty. Providence Medical Institute waived its right to a hearing and did not contest OCR’s findings, resulting in the $240,000 penalty.

OCR recommends the following steps for healthcare providers, health plans, clearinghouses, and business associates covered by HIPAA to prevent or mitigate cyber threats:

  • Review all vendor and contractor relationships to ensure business associate agreements are in place and address breach/security incident obligations.
  • Integrate risk analysis and management into business processes, regularly conducting them and when new technologies and business operations are planned.
  • Ensure audit controls are in place to record and examine information system activity.
  • Regularly review information system activity.
  • Utilize multi-factor authentication to ensure only authorized users access ePHI.
  • Encrypt ePHI to protect against unauthorized access.
  • Incorporate lessons learned from incidents into the overall security management process.
  • Provide regular, job-specific training to reinforce the critical role of workforce members in protecting privacy and security.

Providence Medical Institute Notice of Proposed Determination

CyberSecurity Awareness Training for Healthcare Employees to meet HIPAA Requirements