HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Public Hospital

Originally published HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Public Hospital on April 23, 2025 15:43 by https://www.hstoday.us/subject-matter-areas/cybersecurity/hhs-office-for-civil-rights-settles-hipaa-ransomware-cybersecurity-investigation-with-public-hospital/?utm_source=rss&utm_medium=rss&utm_campaign=hhs-office-for-civil-rights-settles-hipaa-ransomware-cybersecurity-investigation-with-public-hospital at Homeland Security

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has announced a settlement with Guam Memorial Hospital Authority (GMHA), a public hospital on the U.S. Territory, island of Guam, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following the receipt of two complaints alleging that the electronic protected health information (ePHI) of GMHA patients was impermissibly disclosed.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information.

OCR initiated an investigation following the receipt of a complaint in January 2019 alleging that GMHA experienced a ransomware attack affecting the ePHI of approximately 5,000 individuals. During the investigation, OCR received another complaint in March 2023 alleging that hacker(s) had accessed patient records. OCR’s investigation determined that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI held by GMHA.

“Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats,” said OCR Acting Director Anthony Archeval.

Under the terms of the resolution agreement, GMHA agreed to implement a corrective action plan that will be monitored by OCR for three years, and paid OCR $25,000. Under the corrective action plan, GMHA has agreed to take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

• Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
• Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
• Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
• Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules;
• Augment its existing HIPAA and security training program so all workforce members with access to PHI understand the HIPAA requirements and GMHA’s HIPAA policies and procedures;
• Enhance workforce security and information access management by reviewing all access credentials that have been granted access to ePHI; and
• Conduct breach risk assessments and provide evidence to OCR that all breach notification obligations have been conducted.

OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

• Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
• Integrate risk analysis and risk management into the organization’s business processes.
• Ensure that audit controls are in place to record and examine information system activity.
• Implement regular reviews of information system activity.
• Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
• Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
• Incorporate lessons learned from incidents into the organization’s overall security management process.
• Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-recap-gmha.pdf, opens in a new tab [PDF, 228 KB]

The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

The original announcement can be found here.

The post HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Public Hospital appeared first on HSToday.

Originally published HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Public Hospital on April 23, 2025 15:43 by https://www.hstoday.us/subject-matter-areas/cybersecurity/hhs-office-for-civil-rights-settles-hipaa-ransomware-cybersecurity-investigation-with-public-hospital/?utm_source=rss&utm_medium=rss&utm_campaign=hhs-office-for-civil-rights-settles-hipaa-ransomware-cybersecurity-investigation-with-public-hospital at Homeland Security

Originally published Homeland Security