The settlement with Heritage Valley Health System is OCR’s third resolution involving ransomware. The agency has observed a 264% increase in major ransomware breaches since 2018.

Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Heritage Valley Health System (Heritage Valley), which operates in Pennsylvania, Ohio, and West Virginia. This settlement addresses potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule following a ransomware attack. Ransomware and hacking are major cyber threats in the healthcare sector. Since 2018, large ransomware breaches reported to OCR have increased by 264%.

“Hacking and ransomware are the most common types of cyberattacks in the healthcare sector. Failing to implement the HIPAA Security Rule requirements leaves healthcare entities vulnerable and makes them attractive targets for cybercriminals,” said OCR Director Melanie Fontes Rainer. “Protecting patient information ensures privacy and continuity of care, which is our top priority. We urge healthcare entities to safeguard their record systems and patients from cyberattacks.”

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which outline the requirements for covered entities (such as health plans, healthcare clearinghouses, and most healthcare providers) and business associates to protect the privacy and security of protected health information. The settlement resolves OCR’s investigation into Heritage Valley’s compliance with the HIPAA Security Rule.

OCR’s investigation identified multiple potential violations of the HIPAA Security Rule by Heritage Valley, including:

  • Failing to conduct a compliant risk analysis to identify potential risks and vulnerabilities to electronic protected health information (ePHI).
  • Failing to implement a contingency plan to respond to emergencies, such as ransomware attacks, that compromise systems containing ePHI.
  • Failing to implement policies and procedures to ensure that only authorized users can access ePHI.

Under the terms of the settlement agreement, Heritage Valley agreed to pay $950,000 and implement a corrective action plan monitored by OCR for three years. The plan includes steps to address potential HIPAA Security Rule violations and protect ePHI, such as:

  • Conducting an accurate and thorough risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  • Implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis.
  • Reviewing, developing, maintaining, and revising written policies and procedures to comply with HIPAA Rules as necessary.
  • Training their workforce on HIPAA policies and procedures.

OCR recommends that healthcare providers, health plans, clearinghouses, and business associates covered by HIPAA take the following steps to mitigate or prevent cyber threats:

  • Review all vendor and contractor relationships to ensure appropriate business associate agreements are in place, addressing breach and security incident obligations.
  • Integrate regular risk analysis and risk management into business processes, especially when planning new technologies and operations.
  • Ensure audit controls are in place to record and examine information system activity.
  • Conduct regular reviews of information system activity.
  • Utilize multi-factor authentication to ensure only authorized users access ePHI.
  • Encrypt ePHI to prevent unauthorized access.
  • Incorporate lessons learned from incidents into the overall security management process.
  • Provide regular training specific to organizational and job responsibilities, reinforcing the critical role of workforce members in protecting privacy and security.

The resolution agreement and corrective action plan may be found at:

Take the Cybersecurity awareness and social engineering training for employees