The U.S. Department of Health and Human Services Office for Civil Rights, also known as OCR, has announced four separate HIPAA settlements involving ransomware breaches. Together, these breaches affected more than 427,000 people and exposed unsecured electronic protected health information, also called ePHI.
These settlements are an important reminder for healthcare providers, health plans, healthcare clearinghouses, and business associates. Ransomware is not just an information technology problem. It is also a HIPAA compliance problem when patient or member information is placed at risk.
Ransomware is a type of malicious software that can lock or encrypt an organization’s data. The attacker then demands payment before giving the organization access to its own information again. In healthcare, this can be especially dangerous because it may affect patient care, delay services, expose sensitive records, and lead to serious compliance consequences.
OCR explained that these settlements bring the total number of completed ransomware breach investigations to 19. They also add to OCR’s Risk Analysis Initiative, which focuses on whether regulated organizations are properly identifying and managing risks to electronic protected health information.
Why These Cases Matter
The HIPAA Security Rule requires covered entities and business associates to protect electronic protected health information. This means organizations must use administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI.
One of the most important HIPAA Security Rule requirements is the risk analysis requirement. A risk analysis helps an organization identify where ePHI is stored, how it is used, where it may be vulnerable, and what threats could put it at risk.
OCR found that each of the four organizations failed to conduct an accurate and thorough risk analysis. In some cases, OCR also found impermissible disclosures of protected health information or failure to notify affected individuals in a timely manner.
OCR Director Paula M. Stannard stated that hacking and ransomware are the most common types of large breaches reported to OCR. She also emphasized that organizations should implement the HIPAA Security Rule before a breach happens, not after an investigation begins.
The Four HIPAA Settlements
The four settlements totaled $1,165,000. Each organization also agreed to a corrective action plan that will be monitored by OCR for two years.
Regional Women’s Health Group, LLC, Doing Business as Axia Women’s Health
Regional Women’s Health Group, LLC, also known as Axia Women’s Health, is a network of women’s healthcare providers serving patients in New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky.
The ransomware breach affected 37,989 individuals. The exposed information may have included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, diagnoses or conditions, lab results, and medications.
The organization reported in December 2020 that an unauthorized third party gained access to its information technology network and may have removed data from its electronic medical record database.
OCR found that the organization failed to conduct an accurate and thorough risk analysis to identify possible risks and vulnerabilities to its ePHI.
As part of the settlement, Regional Women’s Health Group agreed to corrective actions and paid $320,000 to OCR.
Assured Imaging Affiliated Covered Entities
Assured Imaging is a medical imaging and screening service provider with headquarters in Arizona and California.
Its ransomware breach affected 244,813 individuals. The affected information included patient names, addresses, dates of birth, diagnoses and conditions, lab results, medications, and treatment information.
Assured Imaging reported in May 2020 that a server on its network had been infected with ransomware.
OCR’s investigation found several issues. OCR determined that Assured Imaging impermissibly disclosed protected health information, failed to conduct an accurate and thorough risk analysis, and failed to notify affected individuals of the breach in a timely manner.
Assured Imaging agreed to corrective actions and paid $375,000 to OCR.
Consociate, Inc., Doing Business as Consociate Health
Consociate Health is a third-party administrator of employee-sponsored benefit programs. It provides health plan administration, plan analytics, and consulting services to HIPAA covered entities as a business associate.
The ransomware breach affected approximately 136,539 individuals. The exposed information included names, addresses, dates of birth, driver’s license numbers, Social Security numbers, credit card or bank account numbers, and diagnoses or conditions.
Consociate reported in November and December 2021 that some of its information systems had been encrypted during a ransomware attack. The organization later learned that the attack followed a successful phishing attack in July 2020. After that phishing attack, the threat actor gained access to a server that contained ePHI.
OCR found that Consociate failed to conduct an accurate and thorough risk analysis to identify risks and vulnerabilities to the ePHI it maintained.
As part of the settlement, Consociate agreed to corrective actions and paid $225,000 to OCR.
Star Group, L.P. Health Benefits Plan
Star Group, L.P. Health Benefits Plan is the self-funded employee benefits plan of a Connecticut-based energy provider.
The ransomware breach affected about 9,316 individuals. The affected information included names, addresses, dates of birth, Social Security numbers, and health insurance information. This health insurance information included member identification numbers, claims data, and benefit selection information.
The health plan reported in October 2021 that an unauthorized actor deployed ransomware on its information system and removed protected health information.
OCR found that the health plan impermissibly disclosed protected health information and failed to conduct an accurate and thorough risk analysis.
The plan agreed to corrective actions and paid $245,000 to OCR.
Key Lessons for Healthcare Organizations and Business Associates
These settlements show that OCR continues to focus closely on ransomware, hacking, and risk analysis failures. Healthcare organizations should not wait until after a cyberattack to review their HIPAA Security Rule compliance.
- OCR recommends that covered entities and business associates take several important steps to reduce cybersecurity risks.
- Organizations should first identify where ePHI is located. This includes understanding how ePHI enters the organization, where it is stored, how it moves through systems, and how it leaves the organization.
- They should also conduct a risk analysis and update it when needed. A risk analysis should not be treated as a one-time project. It should be reviewed regularly, especially when systems, vendors, workflows, or threats change.
- After identifying risks, organizations should develop and implement a risk management plan. This plan should explain how the organization will reduce risks and protect electronic protected health information.
- Organizations should also use audit controls to record and examine system activity. Regular review of system activity can help detect suspicious behavior earlier.
- Access controls and authentication are also important. Organizations should make sure only authorized users can access ePHI.
- Encryption should also be considered for ePHI at rest and in transit when appropriate. Encryption can help protect sensitive information if a device, system, or transmission is compromised.
- Finally, organizations should learn from security incidents. Lessons from ransomware attacks, phishing attempts, and other security events should be used to improve the organization’s overall security program.
HIPAA Training Remains Essential
One of OCR’s recommendations is regular HIPAA training for workforce members. Training should be specific to the organization and should match each employee’s job duties.
This is important because many ransomware attacks begin with human error, such as clicking on a phishing email, using weak passwords, mishandling sensitive information, or failing to report suspicious activity.
HIPAA training helps employees understand how to protect patient information, recognize common threats, report problems quickly, and follow the organization’s security policies.
Final Takeaway
These four OCR settlements send a clear message. Ransomware prevention and HIPAA compliance must work together.
Healthcare organizations and business associates should review their risk analysis, risk management plan, access controls, audit controls, encryption practices, breach response procedures, and employee training programs. Waiting until after a ransomware attack can lead to serious harm for patients and members, as well as costly enforcement actions.
A strong HIPAA Security Rule program is not only a legal requirement. It is also one of the best ways to reduce the impact of cyberattacks and protect the people whose information has been trusted to the organization.
The resolution agreement and corrective action plan for RWHG may be found at: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ra-cap-with-rwhg/index.html.
The resolution agreement and corrective action plan for Assured Imaging may be found at: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ra-cap-with-assured-imaging/index.html.
The resolution agreement and corrective action plan for Consociate may be found at: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ra-cap-with-consociate-health/index.html.
The resolution agreement and corrective action plan for SG Health Plan may be found at: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ra-cap-with-sg-health-plan/index.html