On July 2, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with Heritage Valley Health System (Heritage Valley), a healthcare provider operating in Pennsylvania, Ohio, and West Virginia. This is the OCR’s third ransomware settlement and is based on allegations of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule following a ransomware attack. With ransomware continuing to decimate the healthcare sector, it is crucial for organizations to prioritize cybersecurity to protect patient data and ensure continuity of care.

Ransomware and hacking have continue to be some of the most common types of cyberattacks in the healthcare sector. Since 2018, there has been a staggering 264% increase in large breaches reported to the OCR involving ransomware attacks. This alarming trend highlights the urgent need for healthcare entities to implement the necessary measures to safeguard patient protected health information.

In the case of Heritage Valley, OCR’s investigation revealed multiple potential violations, including the failure to conduct a compliant risk analysis, implement a contingency plan to respond to emergencies like ransomware attacks, and restrict access to authorized users.

Settlement and Corrective Action Plan
To resolve the potential violations, Heritage Valley has agreed to pay a settlement of $950,000 and implement a three-year corrective action plan monitored by the OCR. The plan includes conducting an accurate risk analysis, implementing a risk management plan, reviewing and revising policies and procedures to comply with HIPAA Rules, and providing comprehensive training to the workforce on HIPAA policies and procedures.

Recommended Proactive Measures to Prevent Cyber Threats
OCR recommends several proactive steps that healthcare providers, health plans, clearinghouses, and business associates covered by HIPAA can take to mitigate or prevent cyber threats. These steps include the following:

  • Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
  • Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
  • Ensure audit controls are in place to record and examine information system activity.
  • Implement regular review of information system activity.
  • Utilize multi-factor authentication to ensure only authorized users are accessing electronic protected health information (ePHI).
  • Encrypt ePHI to guard against unauthorized access to ePHI.
  • Incorporate lessons learned from incidents into the overall security management process.
  • Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

To learn more about the resolution agreement and corrective action plan, visit: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hvhs-ra-cap/index.html

See also: Health System to Pay $950,000 to Resolve HHS Privacy Violations

Published by Shawn E. Tuma

Shawn Tuma is an attorney who is internationally recognized in cybersecurity, computer fraud and data privacy law, areas in which he has practiced for nearly two decades. He is a Partner at Spencer Fane, LLP where he regularly serves as outside cybersecurity and privacy counsel to a wide range of companies from small to midsized businesses to Fortune 100 enterprises. You can reach Shawn by telephone at 972.324.0317 or email him at stuma@spencerfane.com.

Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Business Cyber Risk

Subscribe now to keep reading and get access to the full archive.

Continue reading