The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has announced the imposition of a $240,000 civil penalty against Providence Medical Institute in southern California for violating the HIPAA security rule. OCR investigated the covered entity after it reported a series of ransomware attacks that compromised the electronic protected health information (ePHI) of 85,000 individuals, including names, addresses, Social Security numbers, health care information, driver's license numbers, and bank account numbers.
The cybersecurity breach occurred after a staff member clicked on a phishing email. The attacker then was able to gain remote access to the ePHI using administrator credentials.
The covered entity had used an IT company to provide data management services. However, the covered entity failed to have a business associate agreement in place for multiple years with the IT company, which caused access control deficiencies and contributed to the ransomware attacks. It also failed to implement any policies or procedures designed to allow only authorized persons or software programs access to the ePHI. In its investigation, OCR found that the covered entity did not act reasonably to end unauthorized access to its system by simply changing the compromised administrator credential, which would have prevented repeated attacks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.