ARTICLE
11 December 2024

HHS Office Of Civil Rights Imposes $240,000 Penalty Against Health Care Provider After Violation Of HIPAA Security Rule Results In Ransomware Attack

HB
Hall Benefits Law

Contributor

Strategically designed, legally compliant benefit plans are the cornerstone of long-term business stability and growth. As such, HBL provides comprehensive legal guidance on benefits in M&A, ESOPs, executive compensation, health and welfare benefits, retirement plans, and ERISA litigation matters. Responsive, relationship-driven counsel is the calling card of the Firm.
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has announced the imposition of a $240,000 civil penalty against Providence Medical...
United States Food, Drugs, Healthcare, Life Sciences

The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has announced the imposition of a $240,000 civil penalty against Providence Medical Institute in southern California for violating the HIPAA security rule. OCR investigated the covered entity after it reported a series of ransomware attacks that compromised the electronic protected health information (ePHI) of 85,000 individuals, including names, addresses, Social Security numbers, health care information, driver's license numbers, and bank account numbers.

The cybersecurity breach occurred after a staff member clicked on a phishing email. The attacker then was able to gain remote access to the ePHI using administrator credentials.

The covered entity had used an IT company to provide data management services. However, the covered entity failed to have a business associate agreement in place for multiple years with the IT company, which caused access control deficiencies and contributed to the ransomware attacks. It also failed to implement any policies or procedures designed to allow only authorized persons or software programs access to the ePHI. In its investigation, OCR found that the covered entity did not act reasonably to end unauthorized access to its system by simply changing the compromised administrator credential, which would have prevented repeated attacks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More