On October 31, 2024 (boo!), the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) settled a HIPAA ransomware cybersecurity investigation of Bryan County Ambulance Authority (BCAA). BCAA is a provider of emergency medical services in Oklahoma. Details of the settlement are provided below.
HIPAA Ransomware Cybersecurity Investigation: The Risk Analysis Initiative
In late October of 2024, a conference was held in Washington, D.C. by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST). The topic: data security – specifically, how the federal government is regulating it, and what resources the federal government has made available for organizations to enhance its data security posture.
One of the event’s key speakers (not the keynote speaker, though – that person was HHS Deputy Secretary Andrea Palm, who set the tone for the conference by noting that between 2018 and 2022, there was a 93 percent increase in large healthcare breaches and a 234 percent increase in healthcare industry ransomware attacks from 2018 to 2022) was HHS OCR Director Melanie Fontes Rainer.
Director Fontes Rainer spoke about a recently launched OCR “Risk Analysis Initiative.” Fontes Rainer explained to the assembled guests in the Great Hall of the Hubert H. Humphrey Building that, despite several years of OCR guidance on the standard having been available to organizations, a risk analysis is flagged in four out of every five enforcement actions. After noting this statistic, Fontes Rainer noted that the risk analysis initiative will be deployed to bring organizations into compliance with the risk analysis standard.
HIPAA Ransomware Cybersecurity Investigation: The First
The BCAA settlement constitutes the first enforcement action under the risk analysis initiative (and the seventh HIPAA ransomware enforcement action).
In May of 2022, OCR received a breach notification report from BCAA. According to the report, in late November of 2021, a ransomware infection began to encrypt files on BCAA’s network. BCAA determined that the encrypted files affected the protected health information (PHI) of approximately 14,273 patients. In June of 2022, HHS notified BCAA of its investigation of BCAA’s compliance with the HIPAA privacy, security, and breach notification rules. OCR’s investigation found that BCAA had failed to conduct a HIPAA-compliant risk analysis to determine the potential risks and vulnerabilities to the ePHI in its systems.
OCR then brought an enforcement action against BCAA. The enforcement action was resolved through a resolution agreement. Under the terms of this agreement, BCAA agreed to pay $90,000 to OCR and to submit to a three-year corrective action plan (CAP) requiring BCAA to perform a number of activities under the risk analysis initiative. These activities include, among other things:
1. Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of BCAA’s ePHI.
2. Implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis.
3. Developing, maintaining, and revising, as necessary, BCAA’s written policies and procedures to comply with the HIPAA rules.
4. Training the BCAA workforce on BCAA’s HIPAA policies and procedures.
HIPAA Ransomware Cybersecurity Investigation: But Not the Last
In a press release announcing the resolution agreement, Director Fontes Rainer noted, “Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA. “OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.”
