OCR Settles Ransomware Attack Investigation with Virtual Private Network Solutions for $90,000
The HHS’ Office for Civil Rights (OCR) has announced another settlement to resolve an investigation of a ransomware attack. Virtual Private Network Solutions will pay a financial penalty of $90,000 after being found to have failed to conduct a HIPAA-compliant risk analysis.
This is the 9th OCR ransomware investigation to result in a financial penalty for noncompliance with the HIPAA Security Rule, and the third HIPAA penalty under OCR’s risk analysis enforcement initiative. OCR received a notification from Virtual Private Network Solutions, a Virginia-based provider of data hosting and cloud services, about a ransomware attack discovered on October 31, 2021. Virtual Private Network Solutions filed the breach report on behalf of 12 affected covered entity clients on December 30, 2021, involving the protected health information of 6,400 individuals. Data compromised in the incident included names, addresses, dates of birth, driver’s license information, social security numbers, other identifiers, claim information, bank account numbers, other financial information, diagnoses/conditions, lab results, medications, and other treatment information. It is unclear how many clients in total were affected, but one known to the HIPAA Journal is Arlington Skin in Virginia, which reported the breach separately as affecting 17,468 patients.
OCR’s investigation identified a failure to conduct a comprehensive and accurate risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Virtual Private Network Solutions was given the opportunity to settle the alleged violation informally and agreed to pay a financial penalty of $90,000 and adopt a corrective action plan.
The corrective action plan includes the requirement to conduct a comprehensive and accurate risk analysis, develop and implement a risk management plan, and develop and implement HIPAA policies and procedures concerning risk analysis, risk management, security awareness training, security incident procedures, a data backup plan, and breach notifications. OCR will monitor Virtual Private Network Solutions for compliance for a period of one year.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“An accurate and thorough risk analysis is foundational to both HIPAA Security Rule compliance and protecting health information from cyberattacks.” said OCR Director Melanie Fontes Rainer. “Failure to conduct a risk analysis leaves health care entities exposed to future hacking and ransomware attacks. OCR urges health care entities to take the necessary steps to reduce risks and vulnerabilities and safeguard protected health information.”
The risk analysis is one of the most important HIPAA Security Rule provisions, yet many HIPAA-regulated have been discovered to have failed to conduct a risk analysis or have not conducted the risk analysis on all systems that have the potential to touch ePHI or all locations where ePHI is collected, stored, or transmitted. The proposed update to the HIPAA Security Rule contains more specific risk analysis requirements to clarify exactly what a risk analysis should entail.
In its end-of-year summary, OCR Director Melanie Fontes Rainer announced that there had been 22 enforcement actions in 2022 that have resulted in civil monetary penalties or settlements to resolve HIPAA compliance issues, making 2024 the second busiest enforcement year to date. In 2024, OCR collected more than $9.9 million in civil monetary penalties and settlements to resolve HIPAA violations.
