In mid-January of 2025, the Department of Health and Human Services’ Office for Civil Rights announced a $10,000 settlement agreement with Michigan-based Northeast Surgical Group, P.C. (NESG). The agreement requires NESG to submit to two years of OCR monitoring, in the form of a corrective action plan (CAP).
NESG agreed to settle allegations of noncompliance with the HIPAA security risk analysis violation. The settlement marks OCR’s 10th ransomware enforcement action, and the 4th enforcement action in OCR’s risk analysis initiative. Details of the HIPAA risk analysis rule settlement are provided below.
Potential HIPAA Risk Analysis Rule Violation: Ransomware Attack
In March 2023, OCR received a breach report concerning a ransomware incident that had affected NESG’s information system. NESG concluded that the protected health information of 15,298 patients (NESG’s entire patient population) had been encrypted and exfiltrated from its network. OCR’s investigation determined that NESG had failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in NESG’s systems.
Under the terms of the resolution agreement, NESG agreed to implement a corrective action plan that OCR will monitor for two years and paid $10,000 to OCR. Under the corrective action plan, NESG will take steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:
- Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI. The risk analysis must incorporate NESG’s facilities, whether owned or rented, and evaluate the risks to the ePHI on electronic equipment, data systems, and applications controlled, administered, or owned by NESG that create, receive, maintain, or transmit ePHI.
- Implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis.
- Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
- Training its workforce on its HIPAA policies and procedures.
This enforcement action is notable for its speed and recency. The initial breach report was filed in March of 2023. The ransomware breach occurred in January. The matter was resolved in late 2024.
“One of the first steps in implementing effective cybersecurity in health care is assessing the potential risks and vulnerabilities to electronic protected health information,” said OCR Director Melanie Fontes Rainer. “A failure to conduct a HIPAA risk analysis will leave a health care entity vulnerable to cyberattacks, such as hacking and ransomware—which is bad for our health care system and bad for patients. We can and must do better.”
