The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a settlement with Northeast Surgical Group, P.C. (NESG), a Michigan-based provider of surgical services, for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. OCR oversees the enforcement of the HIPAA Privacy, Security, and Breach Notification Rules, which are designed to protect the privacy and security of protected health information (PHI) by setting compliance standards for covered entities and business associates.

The HIPAA Security Rule establishes national safeguards—administrative, physical, and technical—to ensure the confidentiality, integrity, and security of electronic PHI (ePHI). This settlement addresses an investigation related to a ransomware attack on NESG’s information system.

OCR Director Highlights the Importance of Risk Analysis
“Assessing risks and vulnerabilities to electronic PHI is one of the most critical steps for implementing effective cybersecurity in health care,” said OCR Director Melanie Fontes Rainer. “Neglecting to conduct a HIPAA risk analysis exposes health care entities to cyberattacks, including hacking and ransomware. This harms our health care system and, ultimately, patients. We must prioritize compliance and cybersecurity.”

Ransomware: A Growing Threat to Healthcare
Ransomware is a form of malicious software that blocks access to data, typically by encrypting it, until a ransom is paid. Since 2018, OCR has observed a 264% increase in large breaches involving ransomware. Such attacks are now a leading cyber threat in health care.

This settlement is also the fourth enforcement action under OCR’s Risk Analysis Initiative, which aims to:

  • Enhance compliance with the HIPAA Security Rule’s Risk Analysis provision.
  • Conduct more investigations into cybersecurity breaches.
  • Emphasize the importance of thorough risk analysis for protecting ePHI.

Details of the Incident and OCR Investigation
In March 2023, NESG reported a ransomware breach that encrypted and exfiltrated the PHI of 15,298 patients. OCR’s investigation revealed that NESG had not conducted a compliant risk analysis to identify and address vulnerabilities in its systems.

Settlement and Corrective Action Plan
Under the resolution agreement, NESG agreed to:

  • Pay a $10,000 settlement to OCR.
  • Implement a Corrective Action Plan (CAP), which will be monitored by OCR for two years.

The CAP includes the following requirements:

  1. Conducting a thorough and accurate risk analysis to identify vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  2. Developing and implementing a risk management plan to address identified security risks.
  3. Revising and maintaining policies and procedures to ensure compliance with HIPAA Rules.
  4. Providing HIPAA training to staff to reinforce privacy and security measures.

The resolution agreement and corrective action plan are available here: Northeast Surgical Group Resolution Agreement.

Steps to Mitigate Cyber Threats
OCR recommends the following measures for HIPAA-covered entities to prevent cyber threats:

  • Ensure business associate agreements are in place and include breach notification obligations.
  • Regularly integrate risk analysis and risk management into organizational processes.
  • Implement audit controls to monitor information system activity.
  • Use multi-factor authentication to restrict ePHI access to authorized users.
  • Encrypt ePHI to safeguard against unauthorized access.
  • Learn from past incidents to improve security measures.
  • Provide targeted, ongoing training to workforce members about their roles in protecting PHI.

This settlement underscores the critical importance of proactive cybersecurity measures to protect sensitive health information and maintain HIPAA compliance.