The Department of Health and Human Services (HHS) has reached a $90,000 settlement with Oklahoma-based Bryan County Ambulance Authority (BCAA) to settle a potential violation of the Health Insurance and Portability and Accountability Act of 1996 (HIPAA) Security Rule linked to a ransomware attack against BCAA that breached the provider’s encrypted files and impacted more than 14,000 of its patients.
In announcing the settlement on Oct. 31, the HHS Office for Civil Rights said the breach represented a potential violation of the HIPAA Security Rule which mandates national standards to safeguard individuals’ electronic personal health information.
The security breach occurred in November 2021 and was reported to OCR in May 2022. An investigation of the breach conducted by OCR determined that BCAA had “failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities” of electronic protected health information (ePHI).
“Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA,” said OCR Director Melanie Fontes Rainer.
The settlement agreement includes a three-year corrective action plan, requiring BCAA to submit findings to OCR after conducting a comprehensive and accurate risk analysis. Additional requirements include implementing a risk management plan, developing and revising written policies and procedures to remain HIPPA compliant, and training BCCA’s workforce on HIPPA policies and procedures.
The settlement is also the first under OCR’s new Risk Analysis Initiative, which aims to encourage better cybersecurity practices to protect health data.
“OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement,” said Fontes Rainer.
Since 2018 there has been a 264 percent increase in large ransomware attacks reported to OCR, with HHS calling ransomware and hacking the “primary cyberthreats in health care.” BCCA’s settlement marks OCR’s seventh ransomware enforcement action, according to HHS.
