On September 26, 2024, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) entered into a resolution agreement and corrective action plan with Cascade Eye and Skin Centers, P.C. (“Cascade”) following a ransomware attack that impacted approximately 291,000 files containing electronic protected health information (“PHI”). Cascade, a Washington-based health care provider, experienced a ransomware attack in March 2017, and OCR learned of the incident in May 2017. OCR’s subsequent investigation indicated multiple potential violations of the HIPAA Security Rule, including Cascade’s failure to conduct a compliant risk analysis to determine potential risks and vulnerabilities to electronic PHI in its systems and failure to adequately monitor its health information systems to protect against cyber attacks.
The resolution agreement requires Cascade to pay $250,000 to OCR and enter into a corrective action plan that obligates Cascade to implement various controls and procedures, all of which must be reviewed and approved by HHS. These obligations include:
- Conducting a risk analysis to determine the potential risks and vulnerabilities to the electronic PHI stored in its systems, the scope and methodology of which must be submitted to HHS for review within 30 days.
- Developing and implementing a risk management plan to address risks and vulnerabilities identified in the risk analysis.
- Developing and implementing a written process to regularly review information system activity.
- Developing and implementing a contingency plan for responding to occurrence that damage systems containing PHI.
- Implementing a process for assigning unique names and/or numbers to identify and track user identity within its systems.
- Reviewing and revising its written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules.
OCR will monitor the corrective action plan for two years.
The enforcement tracks with OCR’s increased focus in 2024 on taking action against healthcare providers following ransomware attacks. In its press release announcing the enforcement action, OCR cited a 264% increase in large breaches reported to the Office involving ransomware attacks. The Cascade agreement and corrective action plan underscore the need for organizations, including organizations in the heavily-targeted health care sector, to implement effective data protection measures, particularly with respect to conducting and regularly reviewing risk assessments. OCR noted that “hacking and ransomware are the primary cyber-threats in health care” and provided a list of recommendations for HIPAA-covered entities to prevent and mitigate cyber-threats.