Cascade Eye and Skin Centers Settles Alleged HIPAA Violations for $250,000
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has settled alleged HIPAA violations with the Washington healthcare provider Cascade Eye and Skin Centers, P.C. for $250,000. OCR launched an investigation of the privately-owned Washington healthcare provider after learning on May 26, 2017, that patient data had been exposed in a March 2017 ransomware attack. According to OCR, the ransomware group had access to a network server where 291,000 files containing patients’ protected health information were stored.
The investigation uncovered one of the most common HIPAA compliance failures – the lack of a comprehensive, accurate, organization-wide risk analysis to identify potential risks and vulnerabilities to electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(1)(ii)(A). OCR also determined there were insufficient reviews of activity in information systems that contained ePHI., as required by 45 C.F.R. § 164.308(a)(l)(ii)(D).
Cascade Eye and Skin Centers was given the opportunity to settle the alleged HIPAA violations and chose to pay the financial penalty and adopt a corrective action plan, with no admission of wrongdoing or liability. The settlement agreement also includes a comprehensive corrective action plan, compliance with which will be monitored by OCR for 2 years.
Cascade Eye and Skin Centers has agreed to conduct an accurate and thorough risk analysis to determine potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI, and manage and reduce any identified risks to a low and acceptable level. Policies will be developed and implemented to regularly review records of activity in information systems, for responding to emergencies that damage systems containing ePHI, and for assigning a unique identifier for tracking user identity within its systems that contain ePHI.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Cybercriminals continue to target the [health] care sector with ransomware attacks. Health care entities that do not thoroughly assess the risks to electronic protected health information and regularly review the activity within their electronic health record system leave themselves vulnerable to attack, and expose their patients to unnecessary risks of harm,” said OCR Director Melanie Fontes Rainer. “Ensuring the confidentiality of electronic protected health information is critical to protect health information privacy and integral to our national security in the health care sector. OCR urges all health care entities to take the essential precautions and stay vigilant to safeguard their systems from cyberattacks.”
According to OCR, there has been a 264% increase in ransomware-related large data breaches since 2018. OCR has recommended all HIPAA-regulated entities improve their defenses and ransomware mitigations by:
- Reviewing vendor/contractor relationships and ensuring business associate agreements are in place and that breach/security incident obligations are addressed.
- Integrating risk analysis and risk management into business processes and ensuring risk analyses are regularly conducted.
- Ensuring audit controls are in place to record and examine information system activity.
- Implementing regular reviews of information system activity.
- Implementing multi-factor authentication
- Encrypting ePHI to prevent unauthorized access.
- Incorporate lessons learned from incidents into the overall security management process.
- Providing training specific to the organization and job responsibilities and regularly reinforcing that training.
This is the fourth financial penalty to be imposed by OCR to resolve an investigation of a ransomware-related data breach, and OCR’s 7th financial penalty of the year to resolve alleged HIPAA violations.
