The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a $250,000 settlement with Cascade Eye and Skin Centers, P.C., a privately owned healthcare provider based in Washington, over alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The settlement follows a ransomware attack in March 2017 that compromised patient data stored on the provider’s network. On May 26, 2017, OCR became aware of the incident, which involved unauthorized access to a server containing 291,000 files with patients’ protected health information (PHI).
OCR’s investigation revealed that Cascade Eye and Skin Centers had not conducted a complete, organization-wide risk analysis to determine and take care of potential risks to electronic protected health information (ePHI). The healthcare provider failed to comply with HIPAA rule 45 C.F.R. § 164.308(a)(1)(ii)(A), which mandates such an analysis to ensure that vulnerabilities to ePHI are identified and mitigated.
OCR also discovered that Cascade Eye and Skin Centers did not implement adequate procedures for reviewing system activity, as outlined in 45 C.F.R. § 164.308(a)(1)(ii)(D). This requirement ensures that healthcare organizations regularly monitor their information systems to detect unauthorized access or suspicious activity that could jeopardize patient data.
Rather than contest the findings, Cascade Eye and Skin Centers opted to settle the case without admitting wrongdoing or liability. The healthcare provider will pay a $250,000 financial penalty and implement a corrective action plan, which is subject to two years of monitoring by OCR.
As part of the corrective action plan, Cascade Eye and Skin Centers committed to performing a risk analysis of its systems to identify and address future threats to the integrity, confidentiality, and availability of ePHI. The organization will also implement policies and procedures for reviewing system activity on a regular basis, creating emergency response protocols for incidents affecting ePHI systems, and nominating unique identifiers to track user activity within those systems.
Ransomware attacks on healthcare organizations have increased in recent years, exposing sensitive patient data and disrupting healthcare services. Melanie Fontes Rainer, the OCR Director, emphasized the ongoing threat posed by cybercriminals and the importance of implementing cybersecurity measures. She noted that healthcare providers that fail to adequately assess risks and regularly review system activity make themselves more susceptible to attacks, thereby exposing their patients to risks.
The healthcare sector’s exposure to ransomware has increased with ransomware-related big data breaches increasing by 264% since 2018. The OCR has called on all HIPAA-regulated entities to take immediate steps to protect patient data by following these cybersecurity measures:
- Ensure that business associate agreements with contractors and vendors are signed and address responsibilities in case of breaches.
- Regular risk analysis and management are incorporated into business operations to identify and mitigate vulnerabilities.
- Implement audit controls, recording and reviewing activities within information systems to detect unauthorized access or malicious activity.
- Conduct regular checks of information system activity to identify any potential security issues early.
- Implement Multi-Factor Authentication (MFA) as an additional layer of security to stop unauthorized access to ePHI.
- Encrypt ePHI to prevent unauthorized individuals from accessing sensitive patient data.
- Improve overall security management process by incorporating lessons learned from security incidents.
- HIPAA training of employees should include cybersecurity awareness and mitigation.
The settlement with Cascade Eye and Skin Centers marks the fourth financial penalty enforced by OCR in connection with a ransomware-related data breach. The agency has already issued seven financial penalties for alleged HIPAA violations in 2024 alone.