Guam Memorial Hospital Authority (GMHA) has agreed to pay $25,000 to settle a HIPAA violation case. The U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR) investigated the hospital after a ransomware incident in December 2018, which affected 5,000 individuals’ protected health information. Another complaint was filed in 2023 regarding unauthorized access by two former employees who had left GMHA earlier. HHS OCR’s investigation revealed that GMHA failed to conduct a comprehensive risk analysis to identify vulnerabilities in its electronic protected health information (ePHI) systems.
The lack of a thorough risk analysis exposed the hospital to risks such as ransomware and hacking. These cyberthreats are prominent within the healthcare sector, and failure to address these vulnerabilities leaves sensitive data at risk. Anthony Archeval, acting director of HHS OCR, emphasized the importance of conducting a HIPAA risk analysis to protect against such cyberattacks. Without proper measures, hospitals like GMHA are vulnerable to further breaches, potentially compromising patient data.
As part of the settlement, GMHA agreed to implement a corrective action plan to ensure HIPAA compliance. The plan includes conducting an accurate risk analysis, creating a risk management strategy, and enhancing audit and security incident tracking. Additionally, GMHA must improve its HIPAA training program for its workforce and review access credentials to ePHI regularly. These steps aim to strengthen GMHA’s security and prevent future breaches.
This settlement marks the 11th ransomware enforcement action by HHS OCR, reflecting ongoing scrutiny of healthcare institutions’ cybersecurity practices. The case also underscores the increasing number of HIPAA enforcement actions as part of HHS OCR’s Risk Analysis Initiative, which began in 2024. GMHA’s settlement is the first action finalized in 2025 and the 10th HIPAA enforcement for the year.
Reference:
