Providence Medical Institute Faces $240,000 Penalty for HIPAA Security Violations

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $240,000 civil monetary penalty against Providence Medical Institute, located in Southern California, on October 3.

This penalty stems from potential violations of the HIPAA Security Rule following a series of ransomware attacks that exposed the electronic protected health information (ePHI) of 85,000 individuals between February and March 2018.

Since then, ransomware breaches have skyrocketed, increasing by more than 260%. “The healthcare sector needs to take cybersecurity and HIPAA compliance seriously,” warned OCR Director Melanie Fontes Rainer.

OCR Fines Providence Medical Institute After Ransomware Breach Investigation

OCR initiated an investigation after receiving a breach report filed by Providence Medical Institute in April 2018, which showed that a series of ransomware attacks impacted its systems.

The investigation revealed that the servers containing the patient information were encrypted by ransomware on three separate occasions. OCR found two potential violations of the HIPAA Security Rule:

1. failure to have a business associate agreement in place
2. failure to implement policies and procedures to allow only authorized persons or software programs access to ePHI

Proactive Steps to Safeguard Patient Data and Avoid HIPAA Fines

Health care organizations and their business associates must proactively safeguard patient data. The following recommended measures include links to PrivaPlan articles for more details.

• Vendor Audits & Business Agreements: Ensure that all vendors and contractors have appropriate business associate agreements that outline responsibilities in case of a breach. Performing a vendor risk assessment is ideal.
• Routine Risk Analysis: Incorporate regular risk assessments into your processes, especially when introducing new technologies or business strategies.
• Incident Learning: Use lessons from past incidents to refine your organization’s security strategies continuously. Disaster, Recovery, and Testing Planning is a HIPAA requirement.
• Ongoing Training: To ensure your staff is well-versed in safeguarding privacy and security, regularly provide managed phishing, testing, and cybersecurity awareness training.
• Multi-Factor Authentication: Implement two-step verification protocols to ensure only approved users can access sensitive ePHI.
• Data Encryption: Encrypt ePHI to add an extra layer of security against unauthorized access. This is also an essential goal in the HIPAA Security Rule Updates.

“Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA-covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information,” said Rainer. And, as the most recent fine demonstrates, it can be a financially costly error for an entity to make.