HIPAA Breach News

Clinical Trial Software Provider Hit with Ransomware Attack

Posted by HIPAA Journal

Philadelphia-based eResearchTechnology, a company that sells software that is used in clinical trials, including clinical trials of Covid-19 vaccines, was hit with a ransomware attack that has affected several of its clients, including at least one company running Covid-19 vaccine trials. The attack occurred on September 20, 2020 and forced some clinical trial researchers to switch to pen and paper to track their patients. While patient safety was never put at risk, the attack has had an effect on clinical trials and has slowed progress.

IQVIA, the research organization running AstraZeneca’s Covid-19 vaccine trial was one of the organizations affected by the attack, although it is unclear to what extent, if any, the attack affected its Covid-19 vaccine trial. Bristol Myers Squibb, which is leading efforts to develop a rapid test for the virus, was also affected by the ransomware attack. Both firms explained that the effect was limited as they had backups which could be used to recover data. IQVIA issued a statement saying it was unaware of any confidential data related to clinical trials being exfiltrated prior to the use of ransomware to encrypt files.

Following the attack, eResearchTechnology powered down its computer systems and third-party cybersecurity experts were engaged to assist with the investigation and recovery. The Federal Bureau of Investigation was also notified and is investigating the attack. Certain systems have been offline for around 2 weeks, and started to be brought back online on Friday, according to the New York Times. The remainder of its systems are expected to be brought back online in the next few days.

It is unclear which threat group conducted the attack, what ransomware variant was used, and whether the ransom demand was paid for the keys to decrypt files.

eResearchTechnology’s software is extensively used in clinical trials. Last year, around three quarters of all clinical trials that resulted in drug approvals used eResearchTechnology software.

The attack was announced just a few days after Universal Health Services experienced a suspected ransomware attack that affected all of its U.S. locations and forced it to take its systems offline and redirect patients to alternative healthcare providers. Figures from Emsisoft suggest there have been at least 53 ransomware attacks on healthcare providers in the United States so far in 2020. More than 500 hospitals and clinics have been affected by those attacks.

The post Clinical Trial Software Provider Hit with Ransomware Attack appeared first on HIPAA Journal.

Financial information and SSNs Potentially Accessed in Blackbaud Ransomware Attack

Posted by HIPAA Journal

On Wednesday, Blackbaud filed a Form 8-K with the U.S. Securities and Exchange Commission (SEC) that provides further information on the ransomware attack the company suffered in May 2020. Blackbaud explained that the forensic investigation into the breach has revealed further information was potentially compromised in the breach. For certain customers, unencrypted fields that were intended for Social Security numbers, bank account information, and usernames and passwords may also have been accessed by the hackers.

Most of the customers affected by the breach did not have this additional information exposed, as the fields for sensitive information were encrypted and any data included in those fields would have been unreadable to the attackers. Blackbaud explained that any customers who may have had sensitive information exposed are being contacted and notified and additional support is being provided.

Blackbaud explained in the SEC filing that the company was able to prevent the attackers from fully encrypting certain files but confirmed that prior to encryption a subset of data was removed from Blackbaud’s private hosted cloud.

Blackbaud previously explained that the ransom demand had been paid to ensure that data stolen in the attack did not get sold or released publicly. Assurances were received that the stolen data had been deleted after the ransom demand was paid. There is no mention in the SEC filing about how much the company paid for the keys to decrypt files and to have the data deleted.

Blackbaud is confident that the data have not been released publicly or further disclosed; however, there is always a risk when paying cybercriminals that have just conducted an attack, stolen data, and encrypted files, that they may not be true to their word and could still have a copy of the stolen data. Blackbaud is taking precautions and has retained a cybersecurity company to monitor the dark web and hacking forums for any release of data stolen in the attack.

Blackbaud sent notifications about the breach on July 16 and HIPAA covered entities have 60 days to report the breach. Throughout August and September, the number of breaches listed on the HHS’ Office for Civil Rights breach portal has steadily grown. At least 58 healthcare organizations in the United States have publicly stated that they have been affected and more than 3 dozen breaches are currently listed on the OCR breach portal.

The worst affected entity so far is Trinity Health, which is listed as having had the protected health information of 3,320,726 individuals exposed in the breach. Inova Health System has reported a breach of 1,045,270 individuals’ PHI, and Northern Light Health says the PHI of 657,392 individuals was exposed. Many other healthcare providers have reported breaches affected hundreds of thousands of individuals. So far, the protected health information of almost 10 million individuals is known to have been exposed.

Blackbaud is working closely with security firms and law enforcement and investigations into the breach are continuing.

The post Financial information and SSNs Potentially Accessed in Blackbaud Ransomware Attack appeared first on HIPAA Journal.

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

Posted by HIPAA Journal

The Indianapolis, IN-based health insurer Anthem Inc. has settled multi-state actions by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 41 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States.

The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed accomplice were charged in connection with the cyberattack in May 2019.

A breach on that scale naturally attracted the attention of the HHS’ Office for Civil Rights (OCR), which investigated the breach and discovered multiple potential violations of the HIPAA Rules. Anthem settled the HIPAA violation case with OCR for $16 million in October 2018. The HIPAA violation penalty was, and still is, the largest ever financial penalty imposed on a covered entity or business associate for violations of the HIPAA Rules.

Many lawsuits were filed on behalf of victims of the data breach over the theft of their protected health information. Anthem settled the consolidated class action lawsuit for in 2018 for $115 million.

State Attorneys General investigated the breach to determine whether HIPAA and state laws had been violated. The multi-state investigation has taken 5 years to come to a conclusion, but the settlements now draw a line under the breach. Anthem has now paid $179.2 million to settle lawsuits and legal actions over the 2014 cyberattack.

In addition to the $48.2 million financial penalty, Anthem agreed to take a number of corrective actions to improve data security practices. These include implementing a comprehensive information security program based on the principles of zero trust architecture. Regular security reports are now sent to the board of directors and significant security events are reported promptly to the CEO.

Anthem has implemented multi-factor authentication, network segmentation, access controls, data encryption, is logging and monitoring information system activity. Anthem is conducting regular security risk assessments and penetration tests and provides regular security awareness training to its workforce. The corrective action plan also includes the requirement to undergo third-party security audits and assessments for three years, and to provide the results of those audits to a third-party assessor.

Anthem issued a statement in relation to the settlements saying, “[Anthem] does not believe it violated the law in connection with its data security and is not admitting to any such violations,” and also said that there had been no evidence uncovered to indicate any information stolen in the attack has been used to commit fraud or identity theft.

“When consumers must disclose confidential personal information to health insurers, these companies owe their customers the duty to protect their private data,” said California Attorney General Xavier Becerra. “Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return.”

The post Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties appeared first on HIPAA Journal.

PHI of 26,861 Patients Potentially Compromised in Oaklawn Hospital Phishing Attack

Posted by HIPAA Journal

Oaklawn Hospital in Marshall, MI, has started notifying 26,861 patients about a potential breach of their personal and health information.

It is unclear when the breach was detected, but the forensic investigation revealed on July 28, 2020 that the email accounts of certain employees had been accessed by unauthorized third parties between April 14 and April 15, 2020. Access to the accounts was gained after employees responded to phishing emails and disclosed their email credentials. The breach was detected when suspicious emails were found in several employee email accounts.

A comprehensive manual document review was conducted to identify any protected health information stored in the compromised email accounts. The compromised accounts were discovered to contain patient names along with dates of birth, medical information, and health insurance information. The Social Security numbers, driver’s license numbers, financial account information, and online login information of “a very limited” number of patients were also potentially compromised. The delay in issuing notification letters was due to the time-consuming manual document review process.

The phishing attack prompted Oaklawn Hospital to review its cybersecurity protections and significant measures have now been taken to improve technical security safeguards, including the use of multi-factor authentication software. Employees have also been provided with additional security awareness training.

All patients affected by the breach have been advised to monitor their explanation of benefits statements for any transactions related to care or services that they have not received and individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring services.

While unauthorized email account access was confirmed, the investigation did not uncover any evidence to suggest patient information was accessed or stolen by the attackers and no reports have been received indicating any misuse of patient data.

Mono County Discovers Breach of COVID-19 Statistics Database

Mono County in California has discovered an unauthorized individual gained access to its online COVID-19 statistics database between April 2 and July 24, 2020. The database included the protected health information of individuals who had been tested for COVID-19 prior to July 24, 2020.

The database contained individuals’ date of birth, gender, race, geographic region of residence in Mono County, and the result of their COVID-19 test. Names, addresses, and other identifying information were not included in the database. The database was secured on July 28, 2020 and external access is no longer possible.

The breach report submitted to the HHS’ Office for Civil Rights shows the PHI of 2,850 individuals was stored in the database.

The post PHI of 26,861 Patients Potentially Compromised in Oaklawn Hospital Phishing Attack appeared first on HIPAA Journal.

4 More U.S. Healthcare Providers Discover Email Account Breaches

Posted by HIPAA Journal

Alameda Health System (AHS), an Alameda, CA-based provider of emergency, inpatient, outpatient, and wellness services in the East Bay area, has discovered an unauthorized individual temporarily gained access to the email account of an employee.

AHS learned that the account was accessed for a brief period on April 8, 2020. The breach was discovered by AHS on June 17, 2020.

Assisted by a leading forensic security firm, AHS determined that the following types of information were potentially compromised: names, dates of birth, medical record numbers, appointment dates, limited medical information, health insurance information, Social Security numbers and driver’s license numbers.

AHS and the forensic investigators found no evidence to suggest any information was stolen or misused for the purpose of committing identity theft or fraud, but as a precaution, individuals whose Social Security number was potentially compromised have been offered complimentary membership to credit monitoring and identity theft protection services.

The breach report submitted to the HHS’ Office for Civil Rights shows 2,691 individuals were affected by the breach.

EyeMed Vision Care Suffers Email Account Breach

Ohio-based EyeMed Vision Care LLC, a vision benefits company, has discovered an unauthorized individual has gained access to a corporate email mailbox and used it to send phishing emails to individuals in the address book. The breach was discovered on July 1, 2020 and the account was immediately secured.

An investigation into the breach confirmed access to the email account was gained on June 24, 2020. A review of the email account revealed it contained the electronic protected health information of individuals who currently or have previously received vision benefits through EyeMed. Information in the email account included names, addresses, dates of birth, phone numbers, email addresses, and vision insurance account/identification numbers and, for a limited number of individuals, diagnoses and eye conditions, treatment information, and full or partial Social Security numbers.

It was not possible to determine whether any of the information was viewed or obtained during the time the account was accessible, but no reports have been received to suggest any information has been misused. Affected individuals have been offered a 2-year complimentary membership to credit monitoring and identity protection services.

EyeMed has since provided additional security awareness training to the workforce and has implemented further security measures for authorized access to its network.

Century Specialty Script Alerts Customers about Email Security Breach

The New York specialty pharmacy, Century Specialty Script, LLC, has discovered the Office 365 account of one of its employees has been accessed by an unauthorized individual. The breach was detected on or around July 28, 2020 and the account was immediately secured.

A forensic investigation firm was retained to investigate the breach and confirmed that the attacker only gained access to a single Office 365 account, and the breach was limited to the Office 365 environment. As a precaution, the passwords for all Office 365 accounts were changed.

. The email account was found to contain the following data elements: names, dates of birth, address, contact information, prescription information, and insurance information. The forensic investigation firm was unable to determine if any information in the account was obtained by the attacker

Century Specialty Script has since taken steps to strengthen email security to prevent similar breaches in the future.

Stark Summit Ambulance Suffers Multi-Email Account Breach

Stark Summit Ambulance, a provider of emergency and non-emergency medical transportation services in Northeast and Central Ohio, identified suspicious activity in an email account on May 28, 2020. While investigating the breach over the following two months it was discovered that several more email accounts had been compromised.

An analysis of the compromised accounts revealed 6 contained electronic protected health information which may have been viewed or obtained by the individual(s) behind the attack.

The information in the accounts varied from individual to individual and may have included patients names along with one or more of the following data types: Social Security number, driver’s license number, state ID number, passport number, medical diagnosis, medical treatment information, treatment type, treatment location, clinical information, mental or physical condition, health care provider/doctor name, date of service, medical history information, health insurance information, Medicare/Medicaid number, other health care payment/cost information, prescription information, checking or savings account, credit or debit card number, or personal identification code.

The post 4 More U.S. Healthcare Providers Discover Email Account Breaches appeared first on HIPAA Journal.

MU Health Care Phishing Attack Impacts 5,000 Patients

Posted by HIPAA Journal

MU Health Care in Missouri has experienced a phishing attack that saw several employee email accounts compromised between May 4 and May 6, 2020. An investigation into the breach revealed the compromised email accounts contained patient information including names, account numbers, dates of birth, health insurance information, Social Security numbers, and driver’s license numbers.

MU Health Care has notified all patients affected by the attack and has offered them complimentary credit monitoring services. No reports have been received that suggest any patient information has been misused.

The compromised email accounts contained the protected health information of 5,074 patients.

Data Leaked Following University Hospital SunCrypt Ransomware Attack

University Hospital, a teaching hospital in Newark, NJ, has experienced a ransomware attack involving SunCrypt ransomware. The attack occurred in September 2020. Prior to the use of ransomware, the attackers exfiltrated around 48,000 documents, some of which were published on the ransomware operator’s data leak site.

It is unclear at this stage how many patients have been affected by the breach, but the leaked data did include some patient data, including names, dates of birth, Social Security numbers, driver’s license numbers, and other data.

The attack appears to have started with a phishing email that resulted in the TrickBot Trojan being downloaded. SunCrypt ransomware was delivered as a secondary payload.

PHI of 4,806 Patients Potentially Compromised in UCare Minnesota Phishing Attack

The non-profit health plan, UCare Minnesota, has experienced a phishing attack involving several employee email accounts. An investigation was launched into a suspected breach when suspicious network activity was detected in April 2020. On May 4, 2020, UCare Minnesota determined certain email accounts had been accessed by an unauthorized individual. The email accounts were immediately secured and were subjected to a review to determine whether member information had been accessed.

UCare Minnesota learned on September 1, 2020 that the email accounts contained the personal and protected health information of 4,806 individuals, including names, birth dates, healthcare provider names, diagnosis information, and health insurance ID numbers.

No evidence was found to suggest any information was exfiltrated or misused by the individuals responsible for the attack. UCare Minnesota has since re-educated employees on phishing attacks and has bolstered email security.

Nebraska Medicine Suffers Cyberatack

Nebraska Medicine has announced it has suffered a cyberattack that has taken its computer systems out of action. The cyberattack occurred on Sunday September 25, 2020 resulting an outage that caused “significant information technology system downtime.”

Without access to critical IT systems, Nebraska Medicine was forced to postpone appointments for patients who were due to have elective procedures or had other non-emergent health concerns. Medicine issued a statement on September 24 stating normal operations would resume “in days”. The emergency room remained open and no ER patients were diverted to alternate facilities.

It is unclear whether patient records were accessed or stolen in the attack, but Nebraska Medicine confirmed that no patient records were deleted or destroyed and that all patient data could be recovered from backups.

The post MU Health Care Phishing Attack Impacts 5,000 Patients appeared first on HIPAA Journal.

Universal Health Services Ransomware Attack Cripples IT Systems Across United States

Posted by HIPAA Journal

Universal Health Services (UHS), a King of Prussia, PA-based health system with more than 400 healthcare facilities in the United States and UK, has suffered a major security breach that has seen its IT systems crippled.

The Fortune 500 healthcare provider has more than 90,000 employees and serves around 3.5 million patients each year. According to a statement published on its website, the company “experienced an information technology security incident in the early morning hours of September 27, 2020.” Upon discovery of the breach, UHS “suspended user access to its information technology applications related to operations located in the United States.”

UHS has implemented information security and emergency protocols and is working closely with its security partners to mitigate the attack and restore its IT operations as quickly as possible. The cyberattack crippled its IT systems, leaving affected hospitals without access to their computer and phone systems. UK facilities were unaffected by the attack.

The attack forced UHS to redirect ambulances to other healthcare providers and patients in need of surgery have been relocated to other nearby hospitals. The notice on the UHS website now says, “While this matter may result in temporary disruptions to certain aspects of our clinical and financial operations, our acute care and behavioral health facilities are utilizing their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.”

UHS President Marc Miller issued a statement on Monday saying UHS took its systems offline on Sunday in an attempt to contain a malware attack. Those systems were used by approximately 250 U.S. healthcare facilities and included medical record systems and those used by laboratories and pharmacies across the country.

Marc Miller did not provide any details about the nature of the malware, but several individuals who claim to work for UHS have provided information about the attack that strongly suggests ransomware was involved. According to BleepingComputer, which was contacted by an employee of UHS, prior to systems being shut down, files were being renamed and had the .ryk extension added, which is used by Ryuk ransomware.

Several other employees have reported seeing a ransom note on their computers containing the text “Shadow of the Universe,” which is associated with Ryuk ransom notes.

Ryuk ransomware is often deployed as a secondary payload by the TrickBot Trojan, with TrickBot delivered by the Emotet Trojan. Emotet infections commonly start with a phishing email. According to Vitali Kremez of Advanced Intel, their Andariel platform detected multiple Emotet and TrickBot infections at UHS throughout 2020, with the latest detection in September.

The Ryuk ransomware operators are known to exfiltrate data prior to the use of ransomware; however, UHS says on its website that “no patient or employee data appears to have been accessed, copied or otherwise compromised in the attack.”

The post Universal Health Services Ransomware Attack Cripples IT Systems Across United States appeared first on HIPAA Journal.

OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $6.85 million HIPAA penalty on Premera Blue Cross to resolve HIPAA violations discovered during the investigation of a 2014 data breach involving the electronic protected health information of 10.4 million individuals.

Mountainlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest and serves more than 2 million individuals in Washington and Alaska. In May 2014, an advanced persistent threat group gained access to Premera’s computer system where they remained undetected for almost 9 months. The hackers targeted the health plan with a spear phishing email that installed malware. The malware gave the APT group access to ePHI such as names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.

The breach was discovered by Premera Blue Cross in January 2015 and OCR was notified about the breach in March 2015. OCR launched an investigation into the breach and discovered “systemic noncompliance” with the HIPAA Rules.

OCR determined that Premera Blue Cross had failed to:

  • Conduct a comprehensive and accurate risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI.
  • Reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
  • Implement sufficient hardware, software, and procedural mechanisms to record and analyze activity related to information systems containing ePHI, prior to March 8, 2015.
  • Prevent unauthorized access to the ePHI of 10,466,692 individuals.

Due to the nature of the HIPAA violations and scale of the breach, OCR determined a financial penalty was appropriate. Premera Blue Cross agreed to settle the HIPAA violation case with no admission of liability. In addition to the financial penalty, Premera Blue Cross has agreed to adopt a robust corrective action plan to address all areas of noncompliance discovered during the OCR investigation. Premera Blue Cross will also be closely monitored by OCR for two years to ensure compliance with the CAP.

“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said Roger Severino, OCR Director.

“We are pleased to have reached an agreement with the federal Office for Civil Rights to resolve legal inquiries into the 2014 cyberattack on our data network,” said Premera Blue Cross in a statement. “The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information.”

Last year, Premera Blue Cross agreed to settle a $10 million HIPAA violation lawsuit over the breach. The health plan had been investigated by 30 state attorneys general who determined Premera Blue Cross had not met its obligations under HIPAA and Washington’s Consumer Protection Act. In 2019, Premera Blue Cross also agreed to settle a $74 million lawsuit filed on behalf of individuals whose ePHI was exposed in the breach.

The latest penalty is the second largest HIPAA penalty imposed on a covered entity or business associate by OCR to resolve HIPAA violations, behind the $16 million financial penalty imposed on Anthem Inc. over its 2015 data breach involving the ePHI of 79 million individuals.

The fine is the 11th HIPAA violation penalty to be announced by OCR in 2020 and the 8th to be announced this month. So far in 2020, OCR has been paid $10,786,500 to resolve HIPAA violations discovered during investigations of data breaches and HIPAA complaints.

The post OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross appeared first on HIPAA Journal.

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days.

The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals.

CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule.

On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed CHSPSC’s information systems via its virtual private network (VPN) solution. CHSPSC failed to detect the intrusion and was notified by the Federal Bureau of Investigation on April 18, 2014 that its systems had been compromised.

During the time the hackers had access to CHSPSC systems, the ePHI of 6,121,158 individuals was exfiltrated. The data had been provided to CHSPSC through 237 covered entities that used CHSPSC’s services. The types of information stolen in the attack included the following data elements: name, sex, date of birth, phone number, social security number, email, ethnicity, and emergency contact information.

OCR launched an investigation into the breach and uncovered systemic noncompliance with the HIPAA Security Rule. While it may not always be possible to prevent cyberattacks by sophisticated threat actors, when an intrusion is detected action must be taken quickly to limit the harm caused. Despite being notified by the FBI in April 2014 that its systems had been compromised, the hackers remained active in its systems for 4 months, finally being eradicated in August 2014. During that time, CHSPSC failed to prevent unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the hackers continued to steal ePHI.

The failure to respond to a known security incident between April 18, 2014 and June 18, 2014 and mitigate harmful effects of the security breach, document the breach, and its outcome, was in violation of 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators found CHSPSC had failed to conduct an accurate and thorough security risk analysis to identify the risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical policies and procedures permitting access to information systems containing ePH maintained by CHSPSC only by authorized individuals and software programs had not been implemented, in violation of 45 C.F.R. § 164.312(a).

Procedures had not been implemented to ensure information system activity records such as logs and system security incident tracking reports were regularly reviewed, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D).

“The health care industry is a known target for hackers and cyberthieves.  The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino. A sizeable financial penalty was therefore appropriate.

CHSPSC chose not to contest the case and agreed to pay the financial penalty and settled with OCR. The settlement also requires CHSPSC to adopt a robust and extensive corrective action plan to address all areas of noncompliance, and CHSPSC will be closely monitored by OCR for 2 years.

The post Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures appeared first on HIPAA Journal.