The HHS’ Office for Civil Rights (OCR) has agreed to settle alleged HIPAA Security Rule violations with Heritage Valley Health System for $950,000. Heritage Valley is a 3-hospital health system with more than 50 physician offices and many community satellite facilities in Pennsylvania, eastern Ohio, and the panhandle of West Virginia.

In 2017, Heritage Valley was affected by a global malware attack that saw NotPetya malware installed on its network via a connection with its business associate, Nuance Communications. OCR launched an investigation of Heritage Valley in October 2017 following media reports of a data security incident to determine whether Heritage Valley was compliant with the requirements of the HIPAA Security Rule.

OCR’s investigation uncovered multiple Security Rule compliance failures, including the most commonly identified Security Rule issue – The failure to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).

The HIPAA Security Rule – 45 C.F.R. § 164.308(a)(7) – requires covered entities to develop and implement a contingency plan for responding to an emergency that damages systems containing ePHI. Heritage Valley was found not to be compliant with this requirement. OCR also identified a failure to implement technical policies and procedures for electronic information systems that maintain ePHI only to permit access by authorized persons or software programs – 45 C.F.R. § 164.308(a)(4) and 164.312(a)(1)).

The healthcare industry is being targeted by ransomware groups and ransomware-related data breaches have increased by 264% since 2018. Healthcare organizations that are fully compliant with the HIPAA Security Rule can reduce the risk of a ransomware attack succeeding and can limit the harm caused in the event of a successful attack.

In addition to paying the financial penalty, Heritage Valley has agreed to implement a corrective action plan, compliance with which will be monitored by OCR for 3 years. The corrective action plan includes the requirement to conduct an accurate and thorough risk analysis, implement a risk management plan to reduce identified risks and vulnerabilities and review, develop, maintain, and revise as necessary its written policies and procedures to comply with the HIPAA Rules and provide training to the workforce on those policies and procedures.

“Hacking and ransomware are the most common type of cyberattacks within the health care sector. Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive targets to cyber criminals,” said OCR Director Melanie Fontes Rainer. “Safeguarding patient-protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge health care entities to protect their records systems and patients from cyberattacks.”

This is the third OCR HIPAA penalty imposed in response to a ransomware attack and the fifth HIPAA enforcement action of 2024 to result in a financial penalty.

When announcing the enforcement action, OCR took the opportunity to remind all HIPAA-regulated entities of their responsibilities under the HIPAA Security Rule to take action to mitigate or prevent cyber threats. These include:

• Reviewing relationships with business associates, ensuring a business associate agreement is in place, and addressing data breach and security incident obligations
• Integrating risk analysis and risk management into business processes, and conducting risk analyses when new technologies are implemented and business operations change.
• Ensuring an audit trail is maintained and information system activity is regularly reviewed
• Encrypting ePHI to prevent unauthorized access and implementing multifactor authentication on accounts
• Providing regular training to the workforce specific to the organization and job responsibilities and reinforcing the role of members of the workforce with respect to privacy and security
• When security incidents occur, incorporate the lessons learned into the security management process.

The post Heritage Valley Health System Pays $950,000 to Settle Alleged HIPAA Security Rule Violations appeared first on The HIPAA Journal.