During the week of January 6, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into resolution agreements and corrective action plans with Elgon Information Systems (“Elgon”), Virtual Private Network Solutions, LLC (“VPN Solutions”) and USR Holdings, LLC (“USR”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.

The proposed resolutions with Elgon and VPN Solutions are the eighth and ninth ransomware investigation settlements announced by OCR. Elgon is required to pay $80,000 to OCR and will be subject to its monitoring for three years to ensure compliance with HIPAA. VPN Solutions is required to pay $90,000 and will be subject to one year of monitoring. The corrective action plans also lay out certain steps each entity is required to take to resolve potential violations of the HIPAA Privacy and Security Rules.

The proposed resolution with USR, announced on January 8, 2025, stems from a data breach, during which an unauthorized third party/parties were able to access a database containing the electronic protected health information (“ePHI”) of over 2,900 individuals and able to delete ePHI in the database. The resolution agreement requires USR to pay $337,750 to OCR and take steps to resolve potential violations of the HIPAA Privacy and Security Rules. USR will be subject to OCR monitoring for two years to ensure compliance with HIPAA.

Last week’s flurry of settlements is in keeping with a broader trend of OCR Security Rule enforcement activity in the past year. These agreements underscore how it is critical that organizations of all sizes that handle ePHI ensure their compliance with the HIPAA Security Rule, which requires administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of ePHI.