In October of 2024, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) imposed a $240,000 civil monetary penalty (CMP) against Providence Medical Institute (PMI). PMI is a non-profit network of hospitals, physicians, clinics, and home health care services, with locations across Southern California. OCR imposed the ransomware civil monetary penalty for potential HIPAA Security Rule violations.
Details of the incidents leading to the imposition of the ransomware civil monetary penalty are provided below.
Why Was the Ransomware Civil Monetary Penalty Imposed?
After a suspected ransomware attack, PMI filed a breach report with OCR. Such filing is required by the HIPAA Breach Notification Rule, which indicates that covered entities and business associates must report breaches of unsecured PHI through OCR’s web reporting portal. In its report, PMI noted that its systems had been impacted by a series of ransomware attacks. The attacks, PMI noted, affected the electronic protected health information (ePHI) of approximately 85,000 individuals between February and March of 2018. OCR’s investigation revealed that PMI servers containing ePHI were encrypted with ransomware – three times. The investigation also revealed that PMI failed to have required business associates in place with vendors, and that PMI failed to implement policies and procedures to allow only authorized persons or software programs access to ePHI.
The instigating incident occurred at Center for Orthopedic Specialists (COS) – an orthopedic practice that PMI acquired and intended to fully integrate as a PMI unit. The integration was planned for 2018, but delayed until 2019. In mid-February of 2018, a ransomware group encrypted COS system files – after a COS employee responded to a phishing email and disclosed their credentials.
COS was able to restore systems from backup tapes within a few days. A few days later, though, the files were encrypted a second time. Again, COS restored systems from backup tapes, only to discover that a third encryption had occurred in early March. It is believed that a threat actor was able to hit the trifecta because the threat actor retained access to ePHI after data was restored from backups. The third attack occurred, apparently, because the same threat actor used administrator credentials obtained in one of the previous attacks.
COS-PMI noted in its breach report that the compromised data included an ePHI potpourri – names, addresses, dates of birth, driver’s license numbers, Social Security numbers, lab results, medications, treatment information, credit card information, bank account numbers, and other financial information.
COS-PMI conducted an investigation several months after the attack and found that:
1. COS was using unsupported and obsolete operating systems to host its ePHI data.
2. A “demilitarized zone” network had not been enabled or configured by COS to separate its private network from the public internet and untrusted networks.
3. The COS firewall had not been properly configured to monitor and track network access or changes.
4. Remote desktop protocols had been enabled, which allowed for unsecured remote access to COS workstations from external sources.
5. ePHI had not been encrypted on the COS network.
6. COS workforce members had been sharing generic credentials that provided workstation administrative access.
In its own investigation, OCR found that COS had been using an IT vendor who was performing business associate (data management) services for COS, but that there was no business associate agreement in place between the parties. OCR also found that COS did not have sufficient policies and procedures for restriction of access to ePHI-containing systems to only authorized individuals and software.
The HIPAA Security Rule violation persisted until May of 2019, when the integration was fully completed.
In March of 2024, after COS-PMI and OCR’s investigations had concluded, OCR issued a Notice of Proposed Determination, seeking to impose a ransomware civil monetary penalty (CMP) on PMI.
Often, HIPAA-covered entities dispute OCR’s findings, or seek to enter into a resolution agreement (settlement), under which the entity might pay a lower sum to OCR than the one initially proposed.
PMI chose a road less-traveled, waiving its right to a hearing. PMI chose not to contest OCR’s findings. Therefore, OCR imposed the $240,000 ransomware civil monetary penalty over the potential Security Rule violations.
“Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information,” OCR Director Melanie Fontes Rainer stated in the press release announcing the CMP. “The health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.”
How Compliancy Group Can Help
Healthcare organizations that use Compliancy Group’s healthcare compliance tracking software, the Guard, are better equipped to prevent, manage, and recover from security incidents.
Our software enables organizations to:
- Conduct an accurate and thorough risk analysis to identify risks and vulnerabilities to ePHI
- Mitigate risk through a risk management plan
- Develop policies and procedures through templates that include limiting access to, tracking access of, and reporting access to ePHI
We also provide employee cybersecurity training, reducing the risk of human error that often leads to ransomware incidents, and give employees the means to report incidents anonymously should they occur. Healthcare organizations that use our software can provide complete documentation of their “good faith effort” to meet HIPAA Rules in the case of an OCR audit. Had Cascade used our software to manage its compliance program prior to suffering a ransomware incident, they likely could have prevented it from occurring and would not be facing a $250,000 civil monetary penalty.