OCR Settles Ransomware Investigation With Michigan Surgical Group for $10,000
Another ransomware investigation has been settled by the HHS’ Office for Civil Rights (OCR) with a financial penalty. Northeast Surgical Group, P.C, a Michigan-based provider of surgical services, has agreed to pay $10,000 to resolve a potential violation of the HIPAA Security Rule – The failure to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
On March 6, 2023, Northeast Surgical Group notified OCR that the ePHI of 15,298 patients on its network had been encrypted in a ransomware attack. The forensic investigation confirmed that the ransomware group exfiltrated files containing patient information before ransomware was used to encrypt files. Its entire patient population had potentially been affected. OCR investigated the data breach to determine if Northeast Surgical Group was compliant with the HIPAA Rules and determined that Northeast Surgical Group had failed to conduct a HIPAA-compliant risk analysis. This was OCR’s 10th enforcement action related to a ransomware attack and the 4th financial penalty imposed under its risk analysis enforcement initiative.
OCR agreed to settle the alleged violation informally with Northeast Surgical Group agreeing to pay a $10,000 financial penalty. The settlement agreement also includes a corrective action plan, which requires Northeast Surgical Group to conduct a HIPAA-compliant risk analysis, develop a plan to reduce the identified risks to a low and acceptable level, revise its current policies and procedures relating to risk analysis and the implementation of the risk management plan, and provide training to the workforce on the revised policies and procedures. OCR will monitor Northeast Surgical Group’s efforts to comply with the corrective action plan for two years.
Since 2018, there has been a 264% increase in large data breaches related to ransomware attacks. In many cases, hackers exploited vulnerabilities that should have been identified by a risk analysis and addressed before they could be exploited. “One of the first steps in implementing effective cybersecurity in health care is assessing the potential risks and vulnerabilities to electronic protected health information,” said OCR Director Melanie Fontes Rainer. “A failure to conduct a HIPAA risk analysis will leave a health care entity vulnerable to cyberattacks, such as hacking and ransomware—which is bad for our health care system and bad for patients. We can and must do better.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
