OCR Agrees $80K Settlement with Elgon Information Systems to Resolve Risk Analysis Failure
The HHS’ Office for Civil Rights (OCR) has announced its first HIPAA enforcement of the year to resolve alleged violations of the HIPAA Rules. Elgon Information Systems, a Massachusetts provider of electronic medical records and billing support services, has settled the investigation and paid an $80,000 penalty. This was OCR’s 8th investigation of a ransomware-related data breach and its second enforcement action under its risk analysis enforcement initiative.
On March 31, 2023, Elgon Information Systems identified an intrusion when a ransom note was found demanding payment. The internal investigation revealed the ransomware group gained access to its network on March 25, 2023, through open ports on its firewall. The hackers had access to the electronic protected health information (ePHI) of 31,248 individuals including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and clinical information such as diagnoses, health conditions, and medications.
OCR investigated and determined that Elgon Information Systems had failed to conduct a comprehensive and accurate risk analysis, as the open ports on the firewall should have been identified and addressed. In addition to paying the $80,000 penalty, Elgon Information Systems must adopt a corrective action plan which includes reviewing and updating its risk analysis and enterprise risk management plan, reviewing and updating its policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules, and providing HIPAA training to the workforce on HIPAA policies and procedures. OCR will monitor Elgon Information Systems for compliance with the HIPAA Rules for 3 years.
2024 was a busy year for HIPAA enforcement for OCR. According to OCR Director, Melanie Fontes Rainer, OCR completed 22 investigations of HIPAA-regulated entities in 2024 that resulted in penalties for HIPAA violations, 17 of which have been announced. That’s OCR’s second-highest annual total to date, collecting more than $9.9 million in settlements and civil monetary penalties.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
One of the aims of OCR’s proposed update to the HIPAA Security Rule is to address risk analysis noncompliance. The last round of OCR HIPAA compliance audits in 2016-2017 found that most audited HIPAA-regulated entities were not fully compliant with the risk analysis and risk management requirements of the HIPAA Security Rule, and risk analysis failures are commonly identified during investigations of data breaches. “A HIPAA-compliant risk analysis is not only required under the law, but is also an essential step in effective cybersecurity,” said OCR Director Melanie Fontes Rainer. “The best defense to cyberattacks, such as hacking and ransomware, is ensuring that potential risks and vulnerabilities to electronic protected health information have been assessed.”
The regulatory text states that a comprehensive and accurate risk analysis must be conducted to identify all risks and vulnerabilities to ePHI but the HIPAA Rule does not state what a risk analysis should entail. The proposed HIPAA Security Rule update includes more specific requirements for the risk analysis, clarifying that HIPAA-regulated entities must create and maintain an accurate inventory of technology assets, determine how ePHI moves through their information systems, and identify the locations within their information systems (or components thereof) where ePHI may be created, received, maintained, or transmitted. Only then will they be able to identify risks and vulnerabilities to ePHI accurately.
