The Health and Human Services Office for Civil Rights (OCR) recently reached settlements with two healthcare providers for HIPAA violations stemming from ransomware attacks. Plastic Surgery Associates of South Dakota will pay $500,000 after OCR discovered multiple potential violations of health privacy and security rules following a 2017 ransomware incident affecting over 10,000 individuals. Additionally, Bryan County Ambulance Authority in Oklahoma will pay a $90,000 fine for failing to conduct a risk analysis after a 2022 ransomware attack compromising data from more than 14,000 patients.
These settlements represent the sixth and seventh ransomware enforcement actions by OCR, demonstrating a heightened focus on healthcare cybersecurity. With the increasing threats in the healthcare sector, federal regulators are considering mandating additional cybersecurity standards to safeguard patient information. OCR Director Melanie Fontes Rainer emphasized the importance of cybersecurity in healthcare, highlighting the impact of cyberattacks on Americans and the healthcare system.
The investigation into Plastic Surgery Associates of South Dakota revealed shortcomings in conducting risk analysis and implementing security measures to protect patient information. The provider has agreed to a corrective action plan monitored by OCR for two years. Similarly, Bryan County Ambulance Authority will need to implement additional safeguards and measures to prevent future security incidents.
The settlement with BCAA is OCR’s first enforcement action targeting compliance with HIPAA’s risk analysis provision, which requires covered entities to assess potential risks and vulnerabilities to protected health information. In response, BCAA stated its commitment to enhancing security measures and preventing similar incidents in the future.
Overall, these settlements underscore the importance of prioritizing cybersecurity in healthcare to safeguard patient data and comply with regulatory requirements. As healthcare organizations continue to face evolving cyber threats, proactive measures and adherence to cybersecurity protocols are crucial to maintain the integrity and confidentiality of patient information.
