Xavier Becerra United States Secretary of Health and Human Services | Official Website
The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced a settlement with Heritage Valley Health System regarding potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule following a ransomware attack. This marks OCR’s third ransomware settlement as the agency observes a 264% increase in large ransomware breaches since 2018.
“Hacking and ransomware are the most common type of cyberattacks within the health care sector. Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive targets to cyber criminals,” said OCR Director Melanie Fontes Rainer. “Safeguarding patient protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge health care entities to protect their records systems and patients from cyberattacks.”
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which outline requirements that covered entities must follow to protect the privacy and security of protected health information. The settlement resolves OCR’s investigation into Heritage Valley’s compliance with the HIPAA Security Rule.
The investigation revealed multiple potential violations by Heritage Valley, including failures to conduct a compliant risk analysis, implement a contingency plan for emergencies like ransomware attacks, and establish policies allowing only authorized users access to electronic protected health information.
Under the resolution agreement terms, Heritage Valley agreed to pay $950,000 and implement a corrective action plan monitored by OCR for three years. The plan includes conducting an accurate risk analysis, implementing a risk management plan, revising policies as necessary to comply with HIPAA Rules, and training their workforce on these policies.
OCR recommends that healthcare providers take several steps to mitigate or prevent cyber-threats:
- Review vendor relationships to ensure business associate agreements address breach/security incident obligations.
- Integrate regular risk analysis into business processes.
- Ensure audit controls are in place.
- Implement regular reviews of information system activity.
- Utilize multi-factor authentication.
- Encrypt electronic protected health information (ePHI).
- Incorporate lessons learned from incidents into security management processes.
- Provide specific training regularly.
Further details about the resolution agreement can be found at: [HHS Resolution Agreement](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hvhs-ra-cap/index.html). Information on reporting breaches can be accessed at: [HHS Breach Portal](https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf).
OCR remains committed to enforcing HIPAA Rules protecting people's health information privacy and security. Guidance on these rules is available on OCR’s website. Complaints regarding violations can be filed at: [File Complaint with OCR](https://www.hhs.gov/ocr/complaints/index.html).
