On October 31, 2024, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced a resolution agreement and corrective action plan with Plastic Surgery Associates of South Dakota in Sioux Falls (“PSASD”) stemming from the organization’s failure to comply with the HIPAA Security Rule. In July 2017, PSASD notified OCR of the breach. PSASD’s breach report indicated that in February 2017, nine workstations and two servers were infected with ransomware, impacting the protected health information (“PHI”) of 10,229 individuals. The threat actor gained access to PSASD’s network using a brute force attack on the company’s remote desktop protocol. PSASD was unable to restore the affected servers from backups and made two Bitcoin payments, which totaled $27,399.97, to the threat actor in exchange for decryption keys.

OCR’s subsequent investigation indicated multiple potential violations of the HIPAA Security Rule, including PSASD’s failure to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to electronic PHI (“ePHI”) in its systems, implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, implement procedures to regularly review records of information system activity, and implement policies and procedures to address security incidents.

The resolution agreement requires PSASD to pay $500,000 to OCR and implement a corrective action plan that OCR will monitor for two years, including the following measures: 

• Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity and availability of its ePHI, including a comprehensive asset inventory to be completed prior to the risk analysis;
• Implementing a written risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
• Implementing policies and procedures to address security incidents, including (1) a process for identifying and responding to known security incidents, (2) mitigating, to the extent practicable, harmful effects of known security incidents, and (3) documenting (in writing) security incidents and their outcomes;
• Implementing policies and procedures to establish methods to create and maintain retrievable exact copies of ePHI, including a process to (1) test the recoverability of backups on a regular basis to ensure that a retrievable exact copy will be available, (2) create and maintain multiple copies of encrypted backups, and (3) securely store backups in differing locations;
• Implementing policies and procedures to verify the identity of a person or entity seeking access to ePHI;
• Implementing policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights;
• Revising its policies and procedures relating to the uses and disclosures of PHI to ensure that its workforce members understand (1) the circumstances under which PHI may be used and disclosed, (2) how to identify situations that constitute impermissible uses and disclosures of PHI, and (3) how and when to report situations that might constitute impermissible uses and/or disclosures of PHI;
• Revising its breach notification policies and procedures to ensure that its workforce members understand that, following a breach of unsecured PHI, affected individuals must be notified without unreasonable delay and in no case later than 60 (sixty) calendar days after the discovery of the breach, and that notification must be made to the HHS Secretary and, in certain circumstances, to the media; and
• Training its workforce on HIPAA policies and procedures.

The same day, OCR also announced a resolution agreement and corrective action plan with Bryan County Ambulance Authority (“BCAA”), an Oklahoma-based provider of emergency medical services. In May 2022, OCR received a breach report regarding a November 2021 ransomware incident. The report indicated that the incident impacted the PHI of approximately 14,273 patients. OCR subsequently launched an investigation and determined that BCAA failed to conduct a conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in BCAA’s systems in accordance with the HIPAA Security Rule.

Pursuant to the resolution agreement, BCAA agreed to pay $90,000 and enter into a corrective action plan that OCR will monitor for three years, including:

• Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI, including a complete asset inventory;
• Implementing an enterprise-wide risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
• Developing, maintaining distributing, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
• Training its workforce on its HIPAA policies and procedures.

The settlements mark the sixth and seventh OCR enforcement actions related to ransomware attacks (read our previous coverage on Cascade Eye and Skin Centers, P.C. and Providence Medical Institute). The BCAA settlement also is the first enforcement action in OCR’s Risk Analysis Initiative. OCR’s Risk Analysis Initiative was “created to focus select investigations on compliance with the HIPAA Security Rule Risk Analysis provision, a key Security Rule requirement, and the foundation for effective cybersecurity and the protection of electronic protected health information (ePHI).” Read more information on OCR’s Security Risk Assessment Tool, which provides helpful insight into how OCR views the HIPAA Risk Analysis requirement.