OCR is the Office of Civil Rights and is the enforcement department that oversees the Health Insurance Portability and Accountability Act (HIPAA).
On December 7, 2023, OCR announced the first settlement against a healthcare entity where the breach was the result of a phishing attack which led to a ransomware attack.
Phishing or malicious email is a common method that hackers use to gain access to systems. A phishing email is where the attacker pretends to be a legitimate company or entity and tricks the receiver into clicking on an attachment or following a link. As the attachment is opened, malicious computer code is downloading onto the system which will give the hacker access to the system. Most phishing emails are the result of social engineering techniques so that the hacker learns just enough about their target to make their email look legit.
In this case, 34862 patients were impacted when a phishing email was opened on March 30, 2021, which gave the hacker access to the practices computers and allowed the hacker to view patient information and steal that information. As a result of this attack, the practice was fined $480,000. Why was the enforcement so high?
Anytime there is a data breach or unauthorized access of patient information, all patients involved must be notified as soon as possible so that the patients can take actions to protect themselves. Then OCR must also be notified. OCR then investigates why the patient information was compromised.
During the investigation, OCR determined that the practice, like many of their investigations, had not completed a risk analysis which is required under HIPAA. A risk analysis is a process that involves identifying and assessing potential vulnerabilities or risks that could adversely impact the practice financially and reputationally, and what steps could be taken to reduce the potential impact.
This was the first enforcement for a cyber-attack, but it certainly will not be the last. As cyber-attacks become more prevalent and sophisticated, OCR is going to continue to levy these fines. We know this, because even when the enforcement has been the result of failing to release records in a timely manner, the lack of a risk analysis is considered within the enforcement actions.
The federal government is not the only authority to levy fines and penalties. The New York Attorney General Letitia James levied a fine for $450,000 and is requiring the healthcare entity to invest 1.2 million dollars in cyber security controls as the result of a cyber-attack that happened in May, 2021. This attack involved 175,077 residents of New York.
In 2021, there was an amendment to HIPAA, which implemented a “Safe Harbor”. For practices that can demonstrate and document an ongoing security management program, it could reduce the potential fines and penalties. A risk analysis is the initial step in establishing a strong security management plan and ongoing analysis is required to make sure that the steps the practice is taking are reducing the potential risks to the practice.