The HHS’ Office for Civil Rights (OCR) has reported reaching a settlement that ended the investigation of a ransomware attack. Because Virtual Private Network Solutions failed to perform a HIPAA-compliant risk analysis, it will pay OCR a $90,000 financial penalty.
This is OCR’s 9th ransomware investigation to end in a financial penalty because of HIPAA Security Rule noncompliance. It is also the 3rd HIPAA penalty issued concerning the risk analysis enforcement initiative. Data hosting and cloud services provider Virtual Private Network Solutions based in Virginia notified OCR about a ransomware attack identified on October 31, 2021. On December 30, 2021, Virtual Private Network Solutions submitted the breach report for 12 impacted covered entity clients with 6,400 individuals’ protected health information (PHI) affected. Information exposed during the incident included names, birth dates, addresses, Social Security numbers, driver’s license data, other identifiers, claim data, bank account numbers, other financial data, diagnoses/conditions, laboratory results, prescription drugs, and other treatment details. The number of clients affected is uncertain, but Arlington Skin in Virginia had 17,468 affected patients and reported the breach on their own.
OCR’s investigation confirmed that VPNS did not carry out a detailed and proper risk analysis to determine all threats and vulnerabilities to the integrity, confidentiality, and availability of electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(1)(ii)(A) of the HIPAA Security Law. Virtual Private Network Solutions was granted the chance to negotiate the supposed violation in private and consented to pay a $90,000 financial penalty and follow a corrective action plan.
The corrective action plan consists of the need to perform a complete and proper risk analysis, create and enforce a risk management plan, and create and enforce HIPAA guidelines and procedures regarding risk analysis, risk control, a data backup plan, security incident measures, security awareness training, and breach notices. OCR will keep track of Virtual Private Network Solutions’ compliance for 12 months.
A proper and complete risk analysis is important to HIPAA compliance and safeguarding against cyberattacks. Not conducting a risk analysis exposes HIPAA-covered entities to hacking incidents and cyberattacks. OCR encourages healthcare entities to do what is necessary to minimize risks and vulnerabilities and protect PHI.
Risk analysis is an essential HIPAA Security Rule condition, but many HIPAA-covered entities fail to carry out a risk analysis or have not done the risk analysis on systems that store ePHI or all places where ePHI is gathered, saved, or sent. The proposed HIPAA Security Rule update includes more particular risk analysis specifications to make clear precisely what a risk analysis should include.
To summarize the state of OCR’s enforcement activities, OCR Director Melanie Fontes Rainer stated that 2022 had 22 enforcement actions associated with civil monetary penalties or settlements of HIPAA compliance issues. OCR’s collections for 2024 include over $9.9 million in civil monetary penalties and negotiations to settle HIPAA violations.
Crédits photos: tippapatt, AdobeStock / logo©VirtualPrivateNetworkdSolutions
