The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced today that Elgon Information Systems (Elgon), a Massachusetts-based company providing electronic medical record and billing support services to covered entities, has agreed to an $80,000 settlement for violations of the HIPAA Security Rule. OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules, which outline the responsibilities of covered entities—such as health plans, healthcare clearinghouses, and healthcare providers—and their business associates in safeguarding protected health information (PHI).
The HIPAA Security Rule establishes national standards to protect electronic PHI (ePHI) through administrative, physical, and technical safeguards. This settlement follows an investigation into a ransomware attack that compromised Elgon’s information system.
“A HIPAA-compliant risk analysis is not only a legal requirement but also a fundamental component of effective cybersecurity,” stated OCR Director Melanie Fontes Rainer. “The most robust defense against cyber threats like hacking and ransomware is to assess potential risks and vulnerabilities to electronic protected health information thoroughly.”
Ransomware and hacking remain significant threats in the healthcare sector. Ransomware is a malicious software designed to block user access to data, often by encryption, until a ransom is paid. Since 2018, OCR has reported a 264% increase in large breaches involving ransomware. This settlement is part of OCR’s Risk Analysis Initiative, which emphasizes compliance with the HIPAA Security Rule’s Risk Analysis provision—a foundational requirement for cybersecurity and ePHI protection.
Details of the Incident
On March 25, 2023, a cybercriminal gained unauthorized access to Elgon’s server through open firewall ports. Elgon discovered the intrusion on March 31, 2023, after finding a ransom note. By June 2023, Elgon reported the breach to HHS, revealing that approximately 31,248 individuals were affected. The compromised data included both demographic information (e.g., names, Social Security numbers, addresses, driver’s license numbers, and dates of birth) and clinical details (e.g., medications, diagnoses, and conditions).
OCR’s investigation revealed that Elgon failed to conduct a thorough and accurate risk analysis to identify potential risks and vulnerabilities to ePHI. Under the settlement agreement, OCR will monitor Elgon for three years to ensure compliance with HIPAA. Elgon has agreed to pay $80,000 and implement a corrective action plan to address potential violations and enhance its security measures.
Corrective Action Plan
Elgon’s corrective actions include:
- Conducting a comprehensive risk analysis to identify potential vulnerabilities to ePHI and ensuring its confidentiality, integrity, and availability.
- Updating its enterprise-wide Risk Management Plan to address and mitigate risks identified during the updated risk analysis.
- Reviewing and revising its HIPAA Privacy and Security Rule policies and procedures.
- Providing HIPAA-specific workforce training.
Best Practices for Cybersecurity
OCR advises covered entities and business associates to adopt the following measures to mitigate cyber threats:
- Regularly review vendor and contractor relationships to ensure proper business associate agreements are in place.
- Integrate risk analysis and management into business processes and revisit them when implementing new technologies or operations.
- Implement audit controls to monitor information system activity.
- Use multi-factor authentication to restrict ePHI access to authorized users only.
- Encrypt ePHI to protect against unauthorized access.
- Incorporate lessons learned from previous security incidents into security management strategies.
- Provide regular, role-specific workforce training on privacy and security protocols.