The 3-hospital health system has over 50 doctor clinics and numerous community satellite services in eastern Ohio, Pennsylvania, and the panhandle of West Virginia.
In 2017, Heritage Valley was impacted by a worldwide malware attack. The NotPetya malware was installed on its system because of a connection with Nuance Communications, its business associate. OCR investigated Heritage Valley in October 2017 after the media reported a data security incident to find out if Heritage Valley complies with the HIPAA Security Rule requirements.
As per OCR’s investigation, Heritage Valley had failed in multiple Security Rule compliance, such as the following
- 45 C.F.R. § 164.308(a)(1)(ii)(A) – not able to perform a comprehensive risk analysis to determine possible threats and vulnerabilities to the integrity, confidentiality, and availability of electronic protected health information (ePHI).
- 45 C.F.R. § 164.308(a)(7) – the covered entity failed to create and enforce a backup plan for addressing an emergency that compromises systems that contain ePHI.
- 45 C.F.R. § 164.308(a)(4) and 164.312(a)(1)) – inability to impose technical guidelines and procedures for electronic data systems that hold ePHI allowing only access by authorized individuals or software programs
Ransomware groups are targeting the healthcare sector causing a 264% increase of ransomware-related data breaches since 2018. Healthcare providers that are completely HIPAA Security Rule compliant can minimize the chance of a ransomware attack being successful and can restrict the damage caused in case of a successful attack.
Besides the financial penalty, Heritage Valley has consented to put in place a corrective action plan, which will be under the supervision of OCR for three years. The corrective action plan consists of
- performing comprehensive risk analysis
- developing a risk management plan to minimize identified threats and vulnerabilities
- evaluate, create, maintain, and modify Heritage Valley’s written guidelines and procedures to be compliant with the HIPAA Rules give employee training about HIPAA policies and procedures
Hacking incidents and ransomware attacks are prevalent within the healthcare industry. The inability to comply with the HIPAA Security Rule requirements makes healthcare entities vulnerable and appealing targets to cyber criminals. Protecting the patient’s protected health data safeguards privacy and assures continuing care, which is a healthcare provider’s number one priority.
This is OCR’s third HIPAA penalty enforced due to a ransomware attack and the fifth HIPAA enforcement action in 2024 with a financial penalty.
OCR is telling all HIPAA-covered entities of their accountabilities under the HIPAA Security Rule to do something to minimize or avoid cyber risks. These consist of:
- Going over relationships with business associates, making sure to sign a business associate agreement (BAA), and handling data breach and security incident responsibilities
- Combining risk analysis and risk management into business procedures, and performing risk analyses with technologies
- Making sure an audit trail is kept and data system activity is frequently examined
- Encrypting ePHI to avoid unauthorized access and applying multifactor authentication on accounts
- Giving regular training to the employees and job obligations and rewarding the role of members of the workforce regarding privacy and security
- When security incidents happen, integrate the lessons realized into the security administration process.
Photo credits: SizeSquare’s; AdobeStock.com
