HIPAA 2024 Year in Review – Ransomware, Risk Analysis, and Right of Access Remedies

HIPAA 2024 Year in Review: A Two-Front War

The Security Rule Theater

The first front is being waged in the theater of the HIPAA Security Rule, which requires covered entities and business associates to perform security risk analyses (SRAs).

HIPAA 2024 Year in Review: Montefiore
The largest OCR HIPAA settlement of the year was announced on February 6, 2024: a $4.75 million, 2-year corrective action plan (CAP) resolution with New York-based Montefiore Medical Center over potential HIPAA Security Rule violations.

In May of 2015, the NYPD informed Montefiore Medical Center that there was evidence that patient information had been stolen from the hospital’s database – leading Montefiore to investigate and discover that the theft had taken place two years earlier. The theft was an inside job (or, as OCR called it, a malicious insider threat incident). For six months, the employee in question stole patient protected health information (PHI) and sold it to an identity theft ring. 

OCR investigated the incident, concluding that Montefiore had potentially committed several HIPAA violations by failing to:

1. Analyze and identify potential risks and vulnerabilities to protected health information (that is, failure to conduct a risk analysis).
2. Monitor and safeguard its health information systems’ activity.
3. Implement policies and procedures that record and examine activity in information systems containing or using PHI (information systems activity review measures).

HIPAA 2024 Year in Review: Heritage Valley Health
On July 1, 2024, OCR announced its settlement with Heritage Valley Health System (HVHS) to resolve potential violations of the HIPAA Security Rule. The settlement is the third ransomware settlement entered into by OCR.

On October 31, 2017, OCR initiated a compliance review of HVHS after the media reported that HVHS had experienced a ransomware attack.

OCR’s investigation identified potential violations of the following provisions 

1. The requirement to conduct a security risk analysis.
2. The requirement to establish and implement policies and procedures for responding to an emergency or other occurrence, such as a fire, vandalism, system failure, and natural disaster, that damages systems that contain ePHI (Contingency Plan).
3. The requirement to implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights.

The $950,000 settlement agreement subjects HVHS to a 3-year CAP. 

HIPAA 2024 Year in Review: Cascade Eye and Skin Centers
In late September of 2024, OCR announced that it had entered into a $250,000 settlement (its fourth ransomware enforcement action) and two-year corrective action plan (CAP) with Cascade Eye and Skin Centers.

After receiving a complaint that Cascade Eye and Skin Centers allegedly suffered a ransomware incident in 2017, OCR launched an investigation, and learned that a ransomware attack indeed compromised the electronic protected health information (ePHI) of 291,000 patients. In a press release announcing the settlement, Cascade potentially committed these Security Rule violations: 

1. Failure to conduct a compliant risk analysis (there it is again!) to determine the potential risks and vulnerabilities to ePHI in its systems
2. Failure to sufficiently monitor health information systems activity to protect against a cyberattack.

The CAP requires Cascade to:

1. Conduct an accurate and thorough risk analysis and implement a risk management plan. 
2. Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
3. Develop policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI (contingency plan). 
4. Develop written procedures to assign a unique name and/or number for identifying and tracking user identity in its systems that contain ePHI (access controls),
5. Review and revise its policies and procedures to comply with HIPAA.

HIPAA 2024 Year in Review: Providence Medical Institute

Next up, in October of 2024, OCR announced its fifth ransomware enforcement action – a $240,000 civil monetary penalty (CMP) imposed on California-based Providence Medical Institute (PMI). OCR imposed the ransomware civil monetary penalty for potential HIPAA Security Rule violations.

After a suspected ransomware attack, PMI filed a breach report with OCR. In its report, PMI noted that its systems had been impacted by a series of ransomware attacks. The attacks affected the electronic protected health information (ePHI) of approximately 85,000 individuals between February and March of 2018.

OCR’s subsequent investigation revealed that PMI servers containing ePHI were encrypted with ransomware – on three separate occasions. The investigation also revealed that PMI failed to have required business associate agreements in place with vendors (including a business associate who provided data management services to PMI), and that PMI failed to implement policies and procedures to allow only authorized persons or software programs access to ePHI.

In March of 2024, OCR issued a Notice of Proposed Determination, seeking to impose a ransomware civil monetary penalty (CMP) on PMI. PMI chose not to contest OCR’s findings. Therefore, OCR imposed the $240,000 ransomware CMP.

Read the Fine(s) Print:
On August 25, 2021, OCR submitted a data request providing an opportunity for PMI to adequately demonstrate that it had recognized security practices in place. PMI responded to OCR’s data request on October 6, 2021. Upon examination of all the data, policies and procedures, OCR determined that PMI’s response adequately demonstrated that it had RSPs in place for the previous 12 months in alignment with Section 405(d) of the Cybersecurity Act of 2015 (CSA). Therefore, OCR applied a reduction to the CMP (20%) based on PMI’s sufficient implementation of RSPs.

HIPAA 2024 Year in Review: Plastic Surgery Associates of South Dakota

On October 31, 2024, OCR announced a $500,000 settlement with Plastic Surgery Associates of South Dakota (PSASD), for several potential HIPAA Security Rule violations, after extensive investigation. The settlement, which also contains a two-year corrective action plan (CAP), marks OCR’s sixth ransomware enforcement action.

In July of 2017, PSASD filed a required breach report with OCR. PSASD noted that it had discovered five months earlier that nine workstations and two servers were infected with ransomware. Once PSASD discovered the breach, it realized that it was unable to restore the affected servers from backup. To retrieve the PHI of approximately 10,000 individuals, PSASD bargained with the hackers, paying them two bitcoin ransomware payments totaling slightly over $27,000, in exchange for decryption keys.

OCR’s investigation that led to the settlement revealed significant HIPAA Security Rule noncompliance on the part of PSASD, including:

1. Failure to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). (Our friend, the security risk analysis, appears again!)
2. Failure to implement risk management.
   3. Failure to implement information system activity review procedures.
3. Failure to develop and implement security incident procedures).

HIPAA 2024 Year in Review: Bryan County Ambulance Authority
On October 31, 2024, OCR settled (for $90,000 and a 3-year CAP) a HIPAA ransomware cybersecurity investigation of Bryan County Ambulance Authority (BCAA), an Oklahoma-based EMS provider.

The BCAA settlement constitutes the first enforcement action under the OCR’s recently announced Risk Analysis Initiative (and the seventh HIPAA ransomware enforcement action).

In May of 2022, OCR received a breach notification report from BCAA. In late November of 2021, a ransomware infection began to encrypt files on BCAA’s network. BCAA determined that the encrypted files affected the protected health information (PHI) of approximately 14,273 patients. In June of 2022, HHS notified BCAA of its investigation of the report, finding that BCAA had failed to conduct a HIPAA-compliant risk analysis.

HIPAA 2024 Year in Review: Gulf Coast
In early December of 2024, OCR announced a $1.19 million civil monetary penalty (CMP) against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (Gulf Coast Pain Consultants, or Gulf Coast) for HIPAA Security Rule violations – mostly HIPAA workforce access violations. 

In May of 2018, Gulf Coast hired an independent contractor to provide business consulting services. In late February of 2019, Gulf Coast discovered that between early September of 2018 and early February of 2019 (after the contractor stopped providing services), the contractor had impermissibly accessed Gulf Coast’s electronic medical record (EMR) system and accessed the ePHI of approximately 34,310 individuals. The contractor used the ePHI to generate medical claims for services that were not actually rendered, resulting in approximately 6,500 false Medicare claims. 

HIPAA Workforce Access Violations: A Failure to Communicate

Gulf Coast, upon discovering the extracurricular activities, terminated the contractor’s access to its systems, and then filed a breach report with OCR. OCR investigated and concluded that Gulf Coast did not conduct a thorough and accurate risk analysis prior to the breach incident. 

OCR also concluded that:

1. Prior to the breach incident, Gulf Coast did not implement termination procedures that would include removing access to ePHI for workforce members or contractors who had separated from Gulf Coast.
2. Prior to the breach incident, Gulf Coast did not implement policies and procedures to comply with the workforce access rule (requiring Gulf Coast to establish, document, review, and modify a user’s right of access to a workstation, transaction, program or process). 

In August of 2024, OCR then issued a Notice of Proposed Determination to impose a $1.4 million CMP. OCR then received evidence of recognized security practices, and imposed a reduced civil money penalty of $1,190,000.

HIPAA Workforce Access Violations: Cheaper by the Dozen (Months)

In its Notice of Final Determination, OCR noted that it had marked down the proposed CMP by 15% (1.4 million to 1.19 million). Why?  Per the Notice of Final Determination:

“On July 2, 2024, OCR provided Gulf Coast with an opportunity to adequately demonstrate that it had recognized security practices (RSPs) in place for the previous 12 months. On July 26, 2024, Gulf Coast responded to OCR’s request. Upon examination of Gulf Coast’s responsive materials, OCR determined that Gulf Coast’s response adequately demonstrated that it had RSPs in place for the previous 12 months in alignment with Section 2(c)(15) of the National Institute of Standards and Technology Act. Therefore, OCR applied a reduction to the CMP based on Gulf Coast’s sufficient implementation of RSPs.”

HIPAA 2024 Year in Review: Children’s Hospital Colorado
In early December of 2024, OCR announced it has issued a $548,625 civil monetary penalty (CMP) against Children’s Hospital Colorado (CHC), for the latter’s HIPAA violations of the HIPAA Privacy and Security Rules.

In September of 2017, CHC notified OCR of a breach of PHI that had occurred two months earlier. A physician’s CHC email account, containing the PHI of 3,370 children, had been compromised: the CHC IT help desk had previously disabled two-factor authentication from the doctor’s account, and failed to reactivate it. In 2020, CHC notified OCR of another breach. This time, an unauthorized individual had accessed the email accounts (which contained the PHI of 10,840 individuals) of three CHC workforce members. OCR subsequently investigated this breach. Turns out, two workforce members had given permission to the unknown third parties to access their email accounts by accepting a multi-factor authentication access request that neither had initiated. The workforce members’ accounts contained PHI that was impermissibly disclosed to third parties. 

Upon OCR’s concluding both its investigation of the 2017 incident, and the 2020 incident, OCR concluded that CHC failed to conduct an accurate and thorough risk analysis.

OCR then proposed a civil monetary penalty of $548,265. Children’s Hospital Colorado waived its right to a hearing and did not contest OCR’s findings. 

HIPAA 2024 Year In Review: Inmediata
In December of 2024, OCR announced a $250,000 settlement with Puerto Rico-based healthcare clearinghouse Inmediata Health Group, LLC (Inmediata), over the latter’s potential HIPAA Privacy and Security Rule violations. 

In November of 2018, a complainant alleged that ePHI of Inmediata patients was left unsecured on the Internet –findable through search engines like Google. OCR investigated the claim and found that from May of 2016 to January of 2019, the ePHI of roughly 1.5 million individuals was made publicly available online and cached by search engines. 

OCR concluded that these impermissible PHI disclosures were potential HIPAA Privacy Rule violations, and identified multiple potential HIPAA Security Rule violations, including:

1. Failure by Inmediata to conduct a compliant risk analysis.
2. Failure by Inmediata to monitor and review its health information systems’ activity.

The Privacy Rule Theater
The Privacy Rule enforcement actions brought by OCR this year should have a familiar ring – several are “right of access” (to medical records) enforcement actions. Several of these were brought against nursing facilities who failed to provide requested records to patients’ personal representatives. Several others merit discussion in large part as they illustrate what some entities proffer (to no effect) as a reason for noncompliance with the right of access standard.

Phoenix Healthcare:
On March 29, 2024, OCR announced it had reached a settlement with Phoenix Healthcare for $35,000, to resolve a potential HIPAA right of access violation.

The Complainant, the personal representative of a Phoenix patient, made multiple requests for her mother’s medical records in 2019, OCR reviewed her complaint, investigated, and provided Phoenix Healthcare with technical assistance to meet the record request. Only after OCR acted did Phoenix produce the requested records – 323 days after the first request was made.  

Essex Residential Care, LLC/Hackensack Meridian
In May of 2020, OCR received a complaint alleging that Essex Residential Care (a nursing facility doing business as Hackensack Meridian Health, West Caldwell Care Center – WCCC for short) failed to provide a personal representative with access to his mother’s medical records. The records were allegedly withheld even after WCC received sufficient documentation confirming that the son was the mother’s personal representative. OCR’s investigation prompted WCCC to send the records to the personal representative – in November.

On April 1, 2024, OCR imposed a $100,000 CMP on Essex to resolve the right of access violation. 161 days had passed between the initial request, and the son’s receipt of the records. 

Before OCR imposed the CMP, WCCC tried out a series of non-reason reasons for withholding the records before paying the penalty. These included:

1. At the time of the initial request, there was, allegedly, ongoing litigation due to the non-payment of care costs.
2. WCCC’s assertion that it was dealing with the COVID-19 pandemic.

Gums Dental Care
The facts of this right of access case are unfortunate.  In 2019, a patient of Gums Dental Care (“Gums”), a solo Maryland dental practice, filed a complaint with OCR, alleging Gums failed to provide her with timely access to her medical records after she requested them in writing.

The Complainant, still not having received the records as of June of 2019, made another written request for them. More requests (and another complaint) followed. In October of 2020, OCR issued a proposed resolution agreement and CAP to resolve the potential right of access violation. On October 22, 2020, Dr. Anna Gumbs replied to OCR, offering a justification: the Complainant allegedly refused to pay the $25.00 flat fee to have the records mailed “certified” to her. Dr. Gumbs also alleged the complainant was not entitled to the records because the complainant would use the records to commit Maryland Medicaid insurance fraud (don’t ask).

OCR gave Gums a chance in December to submit written evidence of mitigating factors. Gums obliged, repeating the insurance fraud claim, and by asserting (for the first time) that it didn’t produce the records because it didn’t have a secure website to ensure the records could be delivered electronically with adequate safeguards.

As Gums did not provide evidence of mitigating factors, an Administrative Law Judge imposed a $70,000 CMP. Gums appealed, lost, and was ordered to pay the CMP.

Holy Redeemer
In November of 2024, OCR announced that it had entered into a Resolution Agreement (settlement) with Holy Redeemer Family Medicine, over the latter’s having impermissibly disclosed a patient’s PHI to a prospective employer without first obtaining a valid HIPAA authorization. 

In September of 2023, OCR received a complaint that alleged Holy Redeemer impermissibly (without authorization) disclosed a female patient’s PHI to her prospective employer. The patient alleged that, although she had requested HRFM send one specific test result (not related to reproductive health care) to the employer, Holy Redeemer instead disclosed her surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive health care.

The disclosure, OCR concluded, was not made for a permissible or required legal purpose, and was also made without HRFM having first obtained the Complainant’s valid authorization to disclose the information.  On November 1, 2023, HHS notified HRFM of this conclusion. The parties settled the matter in late September of 2024, with Holy Redeemer agreeing to pay $35,581 to OCR and to submit to a two-year CAP.