HHS Office for Civil Rights Settles ransomware cybersecurity investigation under HIPAA Security Rule for $250,000

Sept. 30, 2024
The Settlement marks OCR’s fourth ransomware settlement as the agency sees 264% increase in large ransomware breaches since 2018.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Cascade Eye and Skin Centers, P.C., concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following a ransomware attack investigation by OCR.

OCR initiated an investigation following the receipt of a complaint alleging that Cascade Eye and Skin Centers experienced a ransomware attack. OCR’s investigation determined that approximately 291,000 files that contained electronic PHI (ePHI) were affected. OCR found multiple potential violations of the HIPAA Security Rule, including failures by Cascade Eye and Skin Centers to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems, and to have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack.

Under the terms of the settlement, Cascade Eye and Skin Centers has paid $250,000 to OCR and will implement a corrective action plan that requires Cascade Eye and Skin Centers to take steps toward protecting and securing the security of protected health information. OCR will monitor the corrective action plan for two years. These actions include:

  • Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis;
  • Developing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
  • Developing policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI;
  • Developing written procedures to assign a unique name and/or number for identifying and tracking user identity in its systems that contain ePHI;
  • Reviewing and revising, if necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cascade-eye-skin-centers-ra-cap/index.html

HHS release