On October 6 and 31, 2024, the Department of Health and Human Services (“HHS”) and the Office for Civil Rights (“OCR”) announced settlements with Plastic Surgery Associates of South Dakota in Sioux Falls (“PSASD”) and Bryan County Ambulance Authority (“BCAA”), respectively, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. PSASD agreed to a $500,000 settlement following an OCR investigation into a ransomware attack breach, while BCAA settled for $90,000 in relation to a similar ransomware attack on its information systems.
Employer Action Items
- The latest settlements mark the sixth and seventh ransomware enforcement actions for the OCR. The agency settled its first ransomware investigation about a year ago. There has been a steady rise in recent breaches. Covered entities should take the following steps to ensure compliance with HIPAA and protect protected health information (“PHI”) from breaches:
- Employers and plan sponsors should hire a consultant to assist in prudently selecting a service provider with strong cybersecurity practices and subsequently monitoring the activities of any engaged provider;
- Review the HIPAA Breach Notification and Security Rules;
- Employers should develop a cybersecurity program, along with essential best practices for privacy and security, inside and outside the walls of the organizations;
- Employers should also develop written privacy and security assuredness policies and procedures, governing the administration of confidential and protected health information, and to mitigate related, interconnected, and other arising security risks;
- Employers should contemplate and explore cybersecurity insurance offerings, ideally underwriting such coverage prior to the occurrence of a cybersecurity event affecting the organization’s operations or data;
- Review the press release by HHS at this LINK;
Summary
HHS and OCR have recently announced settlements with two healthcare providers, highlighting the increasing focus on cybersecurity in the healthcare sector.
On October 6 and 31, 2024, the OCR settled violations of the HIPAA Security Rule with PSASD and BCAA. The settlements follow ransomware attacks on the organizations’ information systems, with PSASD agreeing to a $500,000 settlement and BCAA agreeing to a $90,000 settlement.
The steady rise in recent breaches underscores the necessity for covered entities to ensure compliance with HIPAA and protect protected health information (PHI) from breaches.
Federal regulators have intensified their focus on healthcare cybersecurity and signaled an interest in mandating more cyber standards due to the growing threats. “Thinking about that number of Americans that will be impacted, that number of cyberattacks that are impacting our healthcare system, it is the top priority for my office,” said OCR Director Melanie Fontes Rainer during an interview at the HLTH organization last month.
The investigation into PSASD revealed that the provider failed to conduct an analysis to identify risks to protected health information, did not implement security measures to reduce those vulnerabilities, failed to regularly review IT system activity, and lacked policies to address security incidents. As part of the settlement, PSASD agreed to a corrective action plan, and the OCR will monitor the provider for two years.
BCAA will also implement a corrective action plan. This settlement marks the OCRs first linked to an initiative focusing on compliance with HIPAA’s risk analysis provision. Under the law, covered entities are required to conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality and security of the organization’s protected health information.
The recent settlements and increased regulatory scrutiny highlight the critical importance of cybersecurity in the healthcare industry, urging organizations to take diligent steps to protect sensitive health information.
Additional Resources:
To obtain additional support for performance of these and other HIPAA requirements, as mandated by the Security and Privacy Rules, please reach out to your local service colleague or your client advisor.
For more information
We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.
