HHS OCR has fined Virtual Private Network Solutions, LLC, a HIPAA business associate, $90,000 for failing to comply with the requirements of the HIPAA Security Rule.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced a $90,000 settlement with Virtual Private Network Solutions, LLC (VPN Solutions), a Virginia-based business associate that provides data hosting and cloud services to covered entities and other business associates. This settlement addresses potential violations of the HIPAA Security Rule, which sets national standards for safeguarding electronic protected health information (ePHI).

The investigation stemmed from a ransomware attack on VPN Solutions’ systems. OCR Director Melanie Fontes Rainer emphasized the importance of proactive security measures, stating, “An accurate and thorough risk analysis is foundational to both HIPAA Security Rule compliance and protecting health information from cyberattacks. Failure to conduct a risk analysis leaves health care entities exposed to future hacking and ransomware attacks.”

Details of the Incident

In December 2021, OCR received a breach report from VPN Solutions regarding a ransomware attack on October 31, 2021. The attack impacted server infrastructure and affected data for 12 covered entities, which had delegated reporting responsibilities to VPN Solutions. The encrypted data included sensitive information such as names, addresses, social security numbers, financial data, medical diagnoses, lab results, and treatment details.

OCR’s investigation found that VPN Solutions had not conducted a compliant risk analysis to identify potential risks and vulnerabilities to ePHI within its system, a fundamental requirement of the HIPAA Security Rule.

Corrective Action Plan

As part of the settlement, VPN Solutions has agreed to:

• Conduct a comprehensive risk analysis to assess potential threats and vulnerabilities to ePHI.
• Implement a risk management plan to mitigate identified risks.
• Develop, maintain, and update written policies and procedures to comply with HIPAA regulations.
• Assess the October 31, 2021, breach and provide evidence that affected covered entities and individuals have been notified.
• OCR will monitor VPN Solutions for one year to ensure compliance with HIPAA.

Recommendations for Preventing Cyber Threats

OCR advises HIPAA-covered entities and business associates to take these steps to mitigate cyber risks:

• Regularly review vendor and contractor relationships, ensuring proper business associate agreements are in place.
• Incorporate risk analysis and risk management into business operations.
• Implement and review audit controls to monitor system activity.
• Utilize multi-factor authentication for secure access to ePHI.
• Encrypt ePHI to protect against unauthorized access.
• Apply lessons learned from past incidents to improve security practices.
• Provide ongoing, role-specific training to workforce members to reinforce privacy and security responsibilities.

HIPAA Privacy Security Training for Business Associate HIPAA Security Officer