$500,000 HIPAA Penalty for South Dakota Plastic Surgery Practice
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle an investigation of a ransomware attack at a South Dakota plastic surgery practice, its 6th ransomware investigation to result in a financial penalty.
OCR has seen a 264% increase in ransomware-related large data breaches since 2018, as ransomware groups have extensively targeted healthcare providers. OCR investigates all large data breaches and has closed investigations of several ransomware-related breaches without pursuing civil monetary penalties. Financial penalties are pursued if OCR identifies a failure to comply with the HIPAA Rules. In multiple guidance documents and video presentations, OCR has explained that HIPAA Security Rule compliance improves defenses against ransomware attacks, helps covered entities detect attacks in progress, and limits the severity of attacks.
“Ransomware attacks often reveal a provider’s underlying failures to comply with the HIPAA Security Rule requirements such as conducting a risk analysis or managing identified risks and vulnerabilities to health information,” said OCR Director Melanie Fontes Rainer. “Such failures can make our doctors and hospitals attractive targets for cyberattacks and can lead to breakdowns in our health care system.”
The ransomware attack that triggered the investigation occurred in February 2017. OCR was notified by Plastic Surgery Associates of South Dakota about the data breach in July 2017 and was informed that the ransomware attack affected two servers and nine workstations, on which the protected health information of 10,229 individuals was stored. Plastic Surgery Associates of South Dakota was unable to restore the server from backups, so the decision was taken to pay the ransom and two Bitcoin payments were made totaling around $53,000.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The ransomware group gained access to the network using brute force methods to guess the login information for remote desktop protocol, a commonly used attack method to gain initial access to internal networks. Covered entities can reduce the risk of brute force attacks by requiring remote access via a VPN, setting strong and unique passwords, implementing multifactor authentication, and monitoring for failed login attempts.
OCR’s investigation identified “significant noncompliance with the HIPAA Rules,” as has been the case with several of OCR’s ransomware investigations. The plastic surgery practice had not conducted an accurate and thorough risk analysis to identify potential risks and vulnerabilities to electronic protected health information (ePHI) and failed to implement policies and procedures to prevent, detect, contain, and correct security violations. The failure to identify risks and vulnerabilities meant appropriate security measures had not been implemented to reduce risks and vulnerabilities to a reasonable and appropriate level.
The HIPAA Security Rule requires policies and procedures to be implemented for regularly reviewing activity in information systems that contain ePHI, but Plastic Surgery Associates of South Dakota failed to implement those policies and procedures. Policies and procedures had also not been implemented to address security incidents. Plastic Surgery Associates of South Dakota chose not to contest the findings and agreed to a settlement, with no admission of liability or wrongdoing. The settlement includes a $500,000 financial penalty, a robust corrective action plan to address the noncompliance, and 2 years of monitoring to ensure compliance with the corrective action plan.
The corrective action plan includes conducting a comprehensive risk analysis; developing and implementing a written risk management plan to reduce the identified risks to a reasonable level; implementing policies and procedures for responding to security incidents; implementing policies and procedures establishing methods to create and maintain retrievable backups of ePHI; implementing policies and procedures for verifying identities and restricting access to ePHI; developing written policies on uses and disclosures of ePHI; revising breach notification policies and procedures; and providing training to the workforce on HIPAA policies and procedures.
Announcing the data breach, OCR reminded HIPAA-regulated entities of the importance of HIPAA Security Rule and taking steps to mitigate and prevent cyber threats. HIPAA-regulated entities can further improve security by implementing the cybersecurity measures detailed in the HHS Cybersecurity Performance Goals (CPGs). This is the 10th OCR enforcement action in 2024 to result in a financial penalty and the third-largest penalty of the year. OCR has imposed a total of $7,050,200 in penalties to resolve HIPAA violations in 2024
