On January 7, 2025, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced that it had entered into an $80,000 settlement and three-year corrective action plan (CAP) with Massachusetts-based HIPAA business associate Elgon Information Systems (Elgon), an EMR and billing support service provider to covered entities.
The settlement concludes OCR’s 8th ransomware investigation and constitutes OCR’s second risk analysis initiative enforcement action. Details of the HIPAA business associate settlement are provided below.
Settlement With HIPAA Business Associate: Risk Is Our Business
Back in March of 2023, an unknown actor gained access to a server on HIPAA business associate Elgon’s information system. The access was made possible because Elgon’s firewall had open ports. It took six days for HIPAA business associate Elgon to detect the intrusion–and the intrusion was only detected because the unknown actor left a ransom note.
The breach affected the protected health information (PHI) of individuals treated by HIPAA business associate Elgon’s covered entity client, Century Homecare. In all, the PHI of 31,248 individuals was affected. This PHI included demographic information (name, social security number, address, driver’s license, and date of birth) and clinical information (medication, diagnosis, and condition).
HHS investigated the incident and found that Elgon had failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that it holds–in other words, Elgon had failed to conduct a proper security risk analysis.
Elgon, to settle the investigation, agreed to pay $80,000 to OCR and to implement a corrective action plan (CAP). Under the CAP, HIPAA business associate Elgon must:
1. Review and update its risk analysis to identify the potential risks and vulnerabilities to Elgon’s data to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).
- Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated risk analysis.
- Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
- Provide workforce training on HIPAA policies and procedures.
Settlement With HIPAA Business Associate: So Nice They Did it Twice
As noted above, the settlement with HIPAA business associate Elgon is OCR’s second risk analysis initiative enforcement action. The first risk analysis initiative enforcement action was announced on October 31, 2024, and was brought against Oklahoma-based Bryan County Ambulance Authority, an EMS provider. That action also involved a ransomware attack and imposition of a CAP. OCR settled with Bryan County Ambulance Authority for $90,000, and imposed a three-year CAP. The measures that OCR required BCAA to take under its CAP are virtually identical to those required of Elgon under its CAP.
Settlement With HIPAA Business Associate: So What’s This Initiative?
The risk analysis initiative was announced by OCR Director Melanie Fontes Rainer in late February of 2024. Few details were provided. Director Fontes Rainer provided more detail during a speech at a conference held by OCR and the National Institute of Standards and Technology (NIST) in October of 2024.
The topic of the conference was data security – specifically, how the federal government is regulating it, and what resources the federal government has made available for organizations to enhance their data security posture. During her speech, Director Fontes Rainer noted that despite several years of OCR guidance on the standard having been available to organizations, a risk analysis is flagged in four out of every five OCR enforcement actions. After noting this statistic, Director Fontes Rainer noted that the risk analysis initiative would be deployed to bring organizations into compliance with the risk analysis standard.
Also in October, OCR posted a ransomware prevention video on Youtube. In the video (time index 18:10-23:25), hosted by Nicholas Heesters, Senior Advisor for Cybersecurity at U.S. Department of Health & Human Services, OCR went into specifics about how covered entities and business associates were getting the risk analysis wrong.
The Security Rule risk analysis requirement reads as follows: “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
Senior Advisor Heesters noted that “accurate” means “being correct” and “thorough” means being comprehensive. Advisor Heesters noted that many entities failed to consider ALL risks to ePHI when conducting their risk analysis (thus conducting an analysis that was inaccurate), or, conducted an analysis that was not thorough enough (e.g., failed to analyze all information systems to determine risks posed to ePHI, instead analyzing only a subset of their information systems).
Heesters noted the consequences of failure to conduct an accurate and thorough risk analysis, which include:
- Failure to identify, assess, and mitigate known unpatched vulnerabilities present in an organization’s remote access solution, which can include a solution to provide secure remote access (e.g., VPN), as well as other remote access solutions that may be present (e.g. Microsoft Remote Desktop Protocol, firewalls, routers, and the devices supporting transmission of ePHI).
- Failure to identify the risks to ePHI posed by mobile devices (e.g., tablets, smartphones, as well as electronic media (e.g., memory cards and flash drives).
- Failure to understand how ePHI is actually entering an organization, flowing through it, and leaving. Understanding the flow is essential to understanding the risks that ePHI is exposed to.
- Failure to identify vulnerabilities, flaws, holes, or weaknesses of information systems (e.g., unprotected known vulnerabilities, incorrectly configured information systems).
Finally, Heesters noted the importance of conducting a robust inventory management process as part of a risk analysis.
A week after the conference and video, the Bryan County Ambulance Authority settlement was announced.