Fourth OCR Ransomware Settlement: $250,000

BACK TO INSIGHTS     Articles

10/31/2024

The Department of Health and Human Services Office for Civil Rights (OCR) has announced a settlement with a privately-owned health care provider offering ophthalmology, dermatology and cosmetic services, relating to a ransomware attack on the provider. This marks only the fourth OCR settlement relating to ransomware, despite that the OCR advises that “the agency sees 264% increase in large ransomware breaches since 2018.”

“Cybercriminals continue to target the heath care sector with ransomware attacks. Health care entities that do not thoroughly assess the risks to electronic protected health information and regularly review the activity within their electronic health record system leave themselves vulnerable to attack, and expose their patients to unnecessary risks of harm,” said OCR Director Melanie Fontes Rainer. “Ensuring the confidentiality of electronic protected health information is critical to protect health information privacy and integral to our national security in the health care sector. OCR urges all health care entities to take the essential precautions and stay vigilant to safeguard their systems from cyberattacks.”

OCR’s investigation ensued after it received a complaint alleging the provider experienced a ransomware attack. Through its investigation, OCR determined that approximately 291,000 files containing electronic protected health information were affected. OCR found multiple HIPAA violations, including the failure of the provider “to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems, and to have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack.”

As part of the settlement, the provider paid a $250,000 penalty to the OCR and will implement a corrective action plan.

Click Here to read the entire October 2024 Healthcare Law Update now!

If you need assistance with your data privacy and security program, please contact:
Lani M. Dornfeld, CHPC | 973.403.3136 | ldornfeld@bracheichler.com

*This is intended to provide general information, not legal advice. Please contact the authors if you need specific advice.

Lani M. Dornfeld

CHPC, Member
Healthcare Law, Cannabis Industry

973.403.3136 · 973.618.5536 Fax

Related Practices:   Healthcare Law

Related Attorney:   Lani M. Dornfeld

Related Industry:   Healthcare