On January 7, 2025, the Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) announced a $90,000 settlement (with a one-year corrective action plan, or CAP) with Virtual Private Network Solutions, LLC (VPN Solutions).
VPN Solutions is a HIPAA business associate that provides data hosting and cloud services to HIPAA covered entities (health plans, health care clearinghouses, and most health care providers) and other HIPAA business associates. VPN Solutions also acts as a cloud service provider (CSP) for these entities. The settlement is the 3rd enforcement action brought under OCR’s risk analysis initiative, and concludes OCR’s 9th HIPAA ransomware investigation. Details of this OCR settlement with the CSP business associate are provided below.
OCR Settles With CSP Business Associate for $90,000: The Details
In late December of 2021, CSP business associate VPN Solutions filed a notice of breach with HHS. VPN filed the notice on behalf of twelve covered entities, each of which had delegated their regulatory responsibility to report PHI breaches to VPN.
In its breach notice, VPN noted that it had experienced a server ransomware attack, resulting in encryption of the covered entities’ PHI. VPN learned of the attack on October 31, 2021 (boo?), which resulted in encryption of names, addresses, dates of birth, driver’s license information, social security numbers, other identifiers, claim information, bank account numbers, other financial information, diagnoses/conditions, lab results, medications, and other treatment information.
OCR Settles With CSP Business Associate: What Was Revealed?
OCR investigated the incident, and concluded that CSP business associate VPN Solutions had failed to conduct a risk analysis – defined in the HIPAA regulations as an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) that it holds. To avoid imposition of a civil monetary penalty, VPN Solutions agreed to settle the matter with OCR for $90,000. As part of the settlement, VPN Solutions will be monitored by OCR under the terms of a one-year corrective action plan (CAP).
OCR Settles With CSP Business Associate: What is Required Under the CAP?
Under the terms of the CAP, CSP business associate VPN must–you guessed it–conduct a risk analysis (along with implementation of a risk management plan, and implementation of policies and procedures to comply with the HIPAA Security Rule and HIPAA Breach Notification Rules.
The risk analysis must be performed as follows:
- First, CSP business associate VPN Solutions must conduct and complete “an accurate and thorough analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by VPN Solutions,” or “its affiliates that are owned, controlled or managed by VPN Solutions,” that “contain, store, transmit or receive ePHI.”
- As part of this process, CSP business associate VPN Solutions must “include a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI,” which must then be incorporated in its risk analysis. The risk analysis must include vulnerability scans and penetration testing.
- VPN Solutions must submit to HHS the scope and methodology by which it proposes to conduct the risk analysis. HHS shall notify CSP business associate VPN Solutions whether the proposed scope and methodology is or is not consistent with the HIPAA risk analysis requirement.
- HHS will then review and recommend changes to the risk analysis. If HHS requires revisions, provide VPN Solutions with a written explanation of the required revisions in order for VPN to prepare a revised risk analysis. Upon receiving HHS’ recommended changes, VPN Solutions must then prepare and submit a revised risk analysis. This process will continue until HHS provides final approval of the risk analysis.
The CAP also requires VPN Solutions to develop and implement a risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis. The risk management plan must include a process and timeline for VPN Solutions’ implementation, evaluation, and revision of its risk remediation activities.
A copy of the Resolution Agreement can be found here.
“An accurate and thorough risk analysis is foundational to both HIPAA Security Rule compliance and protecting health information from cyberattacks,” said OCR Director Melanie Fontes Rainer. “Failure to conduct a risk analysis leaves health care entities exposed to future hacking and ransomware attacks. OCR urges health care entities to take the necessary steps to reduce risks and vulnerabilities and safeguard protected health information.”
