Skip to content
Baldwin Bulletin

HHS Office for Civil Rights Settles Two Ransomware Cybersecurity Investigations Totaling $590,000

The Baldwin Group
|
Updated: December 6, 2024
|
3 minute read

On October 6 and 31, 2024, the Department of Health and Human Services (“HHS”) and the Office for Civil Rights (“OCR”) announced settlements with Plastic Surgery Associates of South Dakota in Sioux Falls (“PSASD”) and Bryan County Ambulance Authority (“BCAA”), respectively, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. PSASD agreed to a $500,000 settlement following an OCR investigation into a ransomware attack breach, while BCAA settled for $90,000 in relation to a similar ransomware attack on its information systems.

Employer Action Items

  • The latest settlements mark the sixth and seventh ransomware enforcement actions for the OCR. The agency settled its first ransomware investigation about a year ago. There has been a steady rise in recent breaches. Covered entities should take the following steps to ensure compliance with HIPAA and protect protected health information (“PHI”) from breaches:
    • Employers and plan sponsors should hire a consultant to assist in prudently selecting a service provider with strong cybersecurity practices and subsequently monitoring the activities of any engaged provider;
    • Review the HIPAA Breach Notification and Security Rules;
    • Employers should develop a cybersecurity program, along with essential best practices for privacy and security, inside and outside the walls of the organizations;
    • Employers should also develop written privacy and security assuredness policies and procedures, governing the administration of confidential and protected health information, and to mitigate related, interconnected, and other arising security risks;
    • Employers should contemplate and explore cybersecurity insurance offerings, ideally underwriting such coverage prior to the occurrence of a cybersecurity event affecting the organization’s operations or data;
    • Review the press release by HHS at this LINK;

Summary

HHS and OCR have recently announced settlements with two healthcare providers, highlighting the increasing focus on cybersecurity in the healthcare sector.

On October 6 and 31, 2024, the OCR settled violations of the HIPAA Security Rule with PSASD and BCAA. The settlements follow ransomware attacks on the organizations’ information systems, with PSASD agreeing to a $500,000 settlement and BCAA agreeing to a $90,000 settlement.

The steady rise in recent breaches underscores the necessity for covered entities to ensure compliance with HIPAA and protect protected health information (PHI) from breaches.

Federal regulators have intensified their focus on healthcare cybersecurity and signaled an interest in mandating more cyber standards due to the growing threats. “Thinking about that number of Americans that will be impacted, that number of cyberattacks that are impacting our healthcare system, it is the top priority for my office,” said OCR Director Melanie Fontes Rainer during an interview at the HLTH organization last month.

The investigation into PSASD revealed that the provider failed to conduct an analysis to identify risks to protected health information, did not implement security measures to reduce those vulnerabilities, failed to regularly review IT system activity, and lacked policies to address security incidents. As part of the settlement, PSASD agreed to a corrective action plan, and the OCR will monitor the provider for two years.

BCAA will also implement a corrective action plan. This settlement marks the OCRs first linked to an initiative focusing on compliance with HIPAA’s risk analysis provision. Under the law, covered entities are required to conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality and security of the organization’s protected health information.

The recent settlements and increased regulatory scrutiny highlight the critical importance of cybersecurity in the healthcare industry, urging organizations to take diligent steps to protect sensitive health information.

Additional Resources:

To obtain additional support for performance of these and other HIPAA requirements, as mandated by the Security and Privacy Rules, please reach out to your local service colleague or your client advisor.


Related Insights

Stay in the know

Our experts monitor your industry and global events to provide meaningful insights and help break down what you need to know, potential impacts, and how you should respond.

Baldwin Bulletin
Upcoming Compliance Deadlines - March 2025
Employers must comply with numerous reporting and disclosure requirements in connection with their group health plans.  Please note the following...
Baldwin Bulletin
DOL Announces 2025 Annual Adjustments to Penalty Amounts
March 5, 2025 Stephanie Hall, Associate Director, Benefits Compliance The Department of Labor (“DOL”) has announced the 2025 annual adjustments...
Baldwin Bulletin
California Corner: New Compliance Obligations and Key Changes from the 2024 Legislative Session
March 5, 2025 Dominique Town, Associate Director, Benefits Compliance With the new year already underway, benefits managers and other plan...
Baldwin Bulletin
Exploring Dependent Care Assistance Programs
March 5, 2025 Caitlin Hillenbrand, Associate Director, Benefits Compliance Many employers understand the benefits of offering a dependent care assistance...
Baldwin Bulletin
Guidance for Establishing a Health and Welfare Plan Fiduciary Committee
March 5, 2025 Jason N. Sheffield, J.D., National Director of Compliance, & Dominique Town, Associate Director, Benefits Compliance Part One:...
Let's make it possible

Partner with us to build solutions that align with your business, individual, or employee needs and open new possibilities for your future.

Connect with us