The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement with Heritage Valley Health System, a health care provider in Pennsylvania, Ohio, and West Virginia, following a ransomware attack. The attack highlighted the increasing issue of ransomware and hacking in the health care sector, with OCR reporting a 264% increase in large breaches involving ransomware attacks since 2018.
OCR enforces the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, which requires covered entities and business associates to protect the privacy and security of protected health information (PHI). The settlement resolves OCR’s investigation concerning Heritage Valley’s compliance with the HIPAA Security Rule.
OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including failure to conduct a compliant risk analysis, implement a contingency plan for emergencies like ransomware attacks, and implement policies and procedures for authorized access to PHI.
Under the terms of the resolution agreement, Heritage Valley agreed to pay $950,000 and implement a corrective action plan to be monitored by OCR for three years. The plan requires Heritage Valley to conduct a risk analysis, implement a risk management plan, review and update its policies and procedures, and provide regular workforce training.
OCR also recommends covered entities to mitigate or prevent cyber-threats by reviewing vendor relationships, integrating risk analysis into business processes, ensuring audit controls, implementing regular reviews of information system activity, utilizing multi-factor authentication, encrypting PHI, incorporating lessons from incidents, providing regular training, and reinforcing the critical role of workforce members in protecting privacy and security.
The OCR is committed to enforcing the HIPAA Rules and providing guidance about the Privacy Rule, Security Rule, and Breach Notification Rules on its website. If individuals believe their health information privacy or civil rights have been violated, they can file a complaint with OCR. More information can be found on the HHS Breach Portal and the OCR website.