The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has announced a settlement with Guam Memorial Hospital Authority (GMHA) regarding potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This action follows two complaints indicating unauthorized disclosure of patients’ electronic protected health information (ePHI). GMHA is a public hospital located on the U.S. Territory of Guam.

The HIPAA Privacy, Security, and Breach Notification Rules, enforced by OCR, mandate safeguards for the privacy and security of protected health information by covered entities (including health plans, clearinghouses, and most healthcare providers) and their business associates.

OCR initiated an investigation in January 2019 after receiving a complaint about a ransomware attack that compromised the ePHI of approximately 5,000 individuals at GMHA. Subsequently, in March 2023, another complaint was filed alleging unauthorized access to patient records by hackers. OCR’s investigation concluded that GMHA failed to conduct a comprehensive risk analysis to identify potential vulnerabilities in its ePHI security.

According to OCR Acting Director Anthony Archeval, “Ransomware and hacking pose significant cyber-threats to electronic protected health information in the healthcare sector. Neglecting HIPAA risk analysis leaves this sensitive data exposed and susceptible to future cyberattacks.”

Under the terms of the resolution agreement, GMHA has agreed to a three-year corrective action plan monitored by OCR and will pay a settlement of $25,000. The corrective action plan requires GMHA to implement several measures to ensure compliance with the HIPAA Security Rule and enhance ePHI security. These measures include:

  • Conducting a thorough risk analysis to identify potential threats and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
  • Developing and implementing a risk management plan to address identified security risks and vulnerabilities.
  • Establishing a written process for the regular review of information system activity logs, access reports, and security incident tracking reports.
  • Developing, maintaining, and updating written policies and procedures to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
  • Enhancing its existing HIPAA and security training program to ensure all workforce members understand HIPAA requirements and GMHA’s policies.
  • Improving workforce security and information access management by reviewing all existing access credentials to ePHI.
  • Conducting breach risk assessments and providing evidence of compliance with all breach notification obligations to OCR.

OCR recommends that all HIPAA-covered entities and business associates implement the following practices to mitigate cyber-threats:

  • Identify all locations where ePHI is stored, processed, and transmitted within the organization’s information systems.
  • Integrate risk analysis and risk management into routine business processes.
  • Implement audit controls to record and monitor information system activity.
  • Conduct regular reviews of information system activity.
  • Utilize authentication mechanisms to ensure only authorized users access ePHI.
  • Encrypt ePHI both during transmission and when stored, where appropriate, to prevent unauthorized access.
  • Incorporate lessons learned from security incidents into the organization’s overall security management process.
  • Provide regular, organization-specific HIPAA training tailored to individual job duties for all workforce members.

The resolution agreement and corrective action plan are available at: https://www.hhs.gov/sites/default/files/ocr-hipaa-recap-gmha.pdf [PDF, 228 KB]

Information regarding the HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information can be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf