OCR Announces Settlements of Four Ransomware Investigations that Affected Over 427,000 Individuals

Yesterday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced settlements with four regulated entities following separate ransomware investigations under HIPAA’S Security Rule. For those keeping count: the resolutions announced mark 19 completed investigations from ransomware breaches and 13 completed investigations in OCR’s Risk Analysis Initiative. The settlements follow investigations into separate ransomware breaches that collectively affected over 427,000 individuals and ePHI that included demographic data, Social Security numbers (SSNs), financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the following regulated entities have agreed to implement corrective action plans subject to OCR monitoring for two years and paid a total of $1,165,000 to OCR: Regional Women’s Health Group, LLC (“RWHG”), doing business as Axia Women’s Health, is a network of women’s health care providers in New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky. The ransomware breach affected 37,989 individuals. The types of ePHI affected by the breach included names, addresses, dates of birth, SSNs, driver’s license numbers, diagnoses or conditions, lab results, and medications. RWHG reported in December 2020 that an unauthorized third-party gained access to its IT network and potentially exfiltrated data from RWHG’s electronic medical record database housing patient ePHI. OCR’s investigation found that RWHG failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI. In addition to committing to corrective actions, RWHG paid $320,000 to OCR. The resolution agreement and corrective action plan for RWHG may be found at: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ra-cap-with-rwhg/index.html . Note: Regional Women’s Health Group was doing business as Sincera Reproductive Medicine at the time. DataBreaches reported on the Maze ransomware attack and its follow-up. Assured Imaging Affiliated Covered Entities (“Assured Imaging”) is a medical imaging and screening service provider with corporate headquarters in Arizona and California. The ransomware breach affected 244,813 individuals. The types of affected ePHI included patient names, addresses, dates of birth, diagnosis and conditions, lab results, medications, and treatment information. Assured Imaging reported in May 2020 that a server on its network was infected with ransomware. OCR’s investigation determined that Assured Imaging had impermissibly disclosed PHI, failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI, and failed to timely notify affected individuals of the breach. In addition to committing to corrective actions, Assured Imaging paid $375,000 to OCR. The resolution agreement and corrective action plan for Assured Imaging may be found at: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ra-cap-with-assured-imaging/index.html . Note: DataBreaches had reported on the Assured Imaging ransomware attack by Pysa. Consociate, Inc., doing business as Consociate Health (“Consociate”) is a third-party administrator of employee-sponsored benefit programs that provides health plan administration, plan analytics and consulting services to HIPAA covered entities as a business associate. Approximately 136,539 individuals were affected by the ransomware breach. Affected ePHI included names, addresses, dates of birth, driver’s license numbers, SSNs, credit card/bank account numbers, and diagnoses or conditions. Consociate reported in November and December 2021 that some of its information systems had been encrypted in a ransomware attack. Consociate subsequently learned that, after a successful phishing attack in July 2020, the threat actor gained access to a server that held ePHI. OCR’s investigation determined that Consociate had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Consociate. In addition to committing to corrective actions, Consociate paid $225,000 to OCR. The resolution agreement and corrective action plan for Consociate may be found at: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ra-cap-with-consociate-health/index.html . Note: Although not reported on DataBreaches.net at the time, Black Hawk College was also one of Consociate’s clients affected by the incident. In its press release , it noted its employees’ names, addresses, Social Security numbers, and/or medical information may have been involved. Star Group, L.P. Health Benefits Plan (“SG Health Plan”) is the self-funded employee benefits plan of a Connecticut-based energy provider. About 9,316 individuals were affected by the ransomware breach. Affected ePHI included names, addresses, dates of birth, SSNs, and health insurance information, such as member identification numbers, claims data, and benefit selection information. SG Health Plan reported in October 2021 that an unauthorized actor deployed ransomware on SG Health Plan’s information system and exfiltrated PHI. OCR’s investigation determined that SG Health Plan had impermissibly disclosed PHI and failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI. In addition to committing to corrective actions, SG Health Plan paid $245,000 to OCR. Note: DataBreaches was unable to find any listing in HHS’s public breach tool for Star Group or SG Health Plan. The only Star Group note we had in our non-public worksheets was a ransomware report for Petro Milro Patriot Propane Perillo in CT, which involved Star Group, but that report was for less than 1,400 people. OCR’s press release reminds people of its recommendations to prevent or mitigate incidents: Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems. Periodically conduct, and update as needed, a risk analysis and develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Ensure audit controls are in place to record and examine information system activity. Implement regular review of information system activity. Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI. Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate. Incorporate lessons learned from incidents into the organization’s overall security management process. Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties. Category: Commentaries and Analyses Health Data HIPAA Of Note Subcontractor U.S.