The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a settlement with Cascade Eye and Skin Centers, P.C., after investigating a ransomware attack that impacted 291,000 electronic protected health information (ePHI) files. The investigation revealed potential violations of the HIPAA Security Rule, including failures to conduct a proper risk analysis and to monitor health system activity effectively. Cascade Eye and Skin Centers has agreed to pay $250,000 and implement a corrective action plan to address these deficiencies.
OCR emphasized the increasing threats of ransomware and cyberattacks targeting the health care sector. Since 2018, large breaches involving ransomware have surged by 264%. OCR urged health care entities to prioritize robust security measures, including regular risk assessments, system activity reviews, and multi-factor authentication, to safeguard electronic health information and reduce vulnerabilities.
As part of the corrective action plan, Cascade Eye and Skin Centers will enhance its security practices over the next two years under OCR’s monitoring. Required steps include conducting a thorough risk analysis, developing a risk management plan, implementing system activity reviews, and improving emergency response procedures. Additional measures involve assigning unique user identifiers and revising policies to align with HIPAA Privacy and Security Rules.
OCR’s findings underscore the importance of compliance with the HIPAA Security Rule to protect patient information and national health care security. Health care providers and associated entities are advised to regularly evaluate and strengthen their cybersecurity protocols, incorporate lessons from breaches, and train their workforce to uphold privacy and security standards effectively.
Reference:
