Dive Brief:
The HHS’ Office for Civil Rights has settled two investigations into HIPAA violations following ransomware attacks on providers.
Plastic Surgery Associates of South Dakota will pay $500,000 to OCR after the agency found “multiple potential violations” of the health privacy and security rule in the wake of a 2017 ransomware incident that affected more than 10,000 people, according to a press release last week.
OCR also found Oklahoma-based Bryan County Ambulance Authority failed to conduct a risk analysis during an investigation into an attack reported in 2022 that compromised data from more than 14,000 patients. The emergency services provider will pay a $90,000 fine.
Dive Insight:
The latest settlements mark the sixth and seventh ransomware enforcement actions for the OCR. The agency settled its first ransomware investigation about a year ago.
Federal regulators have increased their focus on healthcare cybersecurity — and signaled interest in mandating more cyber standards — in the wake of growing threats.
“Thinking about that number of Americans that will be impacted, that number of cyberattacks that are impacting our healthcare system, it is the top priority for my office,” OCR Director Melanie Fontes Rainer said during an interview at HLTH last month.
The investigation into Plastic Surgery Associates of South Dakota found the provider failed to conduct an analysis to find risks to protected health information. It also didn’t put security measures in place to reduce those vulnerabilities, implement procedures to regularly review IT system activity and put in place policies to address security incidents, according to OCR.
The company agreed to implement a corrective action plan, and the agency will monitor the provider for two years. Plastic Surgery Associates of South Dakota didn’t respond to a request for comment by press time.
BCAA will also have to put a corrective action plan in place, according to OCR.
The BCAA settlement is OCR’s first linked to an initiative that focuses investigations on compliance with HIPAA’s risk analysis provision. Under the law, covered entities are required to conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality and security of the organization’s protected health information.
In a statement to Healthcare Dive, the emergency services provider said it was taking efforts to bolster safeguards and introduce additional measures to prevent a similar event from occurring again.
