WASHINGTON, D.C. — The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has announced a settlement with Plastic Surgery Associates of South Dakota to resolve multiple alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This settlement follows an OCR investigation into a ransomware attack that compromised the electronic protected health information (ePHI) of over 10,000 individuals.
Ransomware, a prevalent cyber threat in healthcare, involves malicious software that encrypts a user’s data until a ransom is paid. The frequency of large ransomware breaches reported to OCR has surged by 264% since 2018, spotlighting the critical need for robust cybersecurity measures in the healthcare sector. In alignment with Cybersecurity Awareness Month, OCR has been actively collaborating with healthcare entities to enhance their cyber defense strategies.
The investigation into Plastic Surgery Associates of South Dakota was triggered by a breach report in 2017, detailing that nine workstations and two servers were infected with ransomware, affecting 10,229 individuals’ ePHI. The attackers accessed the network via credentials obtained through a brute force attack on the clinic’s remote desktop protocol. Despite efforts, the clinic failed to restore the affected servers from backups.
OCR’s probe uncovered several potential HIPAA Security Rule violations by the clinic. These included an inadequate risk analysis to identify vulnerabilities, insufficient security measures to mitigate risks, and a lack of comprehensive procedures to monitor and handle security incidents. The clinic also failed to maintain appropriate backup systems and ensure proper access controls for ePHI.
As part of the settlement, Plastic Surgery Associates of South Dakota agreed to a payment of $500,000 and the implementation of a corrective action plan designed to rectify the identified security deficiencies. Key elements of this plan include conducting a thorough risk analysis, developing a written risk management strategy, and establishing procedures to manage and document security incidents effectively.
Moreover, the clinic is required to create and maintain retrievable exact copies of ePHI, test the recoverability of backups regularly, and store encrypted backups securely in multiple locations. It must also refine its policies to verify the identities of those accessing ePHI and restrict access rights to authorized individuals or software programs only.
Additionally, Plastic Surgery Associates of South Dakota must update its policies on the use and disclosure of protected health information (PHI) to ensure workforce compliance. This includes understanding permissible uses and disclosures, recognizing potential violations, and timely reporting of breaches. The clinic is also tasked with revising its Breach Notification procedures to ensure timely notification to affected individuals, the HHS Secretary, and, when necessary, the media.
Training on HIPAA policies and procedures is mandated for all workforce members to foster adherence to the revised security protocols.
This settlement underscores the importance of rigorous cybersecurity measures and HIPAA compliance to safeguard sensitive health information. The OCR continues to enforce the HIPAA Privacy, Security, and Breach Notification Rules, ensuring that healthcare entities maintain the highest standards of data protection and patient confidentiality.
For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and MSN.