top of page
Search

HIPAA enforcement

  • Writer: Katarzyna Celińska
    Katarzyna Celińska
  • 7 hours ago
  • 2 min read

HHS OCR has announced four HIPAA SecurityRule settlements following separate ransomware investigations affecting over 427,000 individuals. The settlements total $1.165 million, and each organization agreed to implement a corrective action plan monitored by OCR for two years.

 

 

OCR stated that hacking and ransomware are the most frequent type of large breach reported to OCR, and emphasized that proactively implementing the HIPAA Security Rule before a breach is not only required by law, but also the best opportunity to prevent or reduce the impact of a successful cyberattack.



The four settlements involved ransomware breaches:

  • Regional Women’s Health Group / Axia Women’s Health — breach affecting 37,989 individuals, settlement of $320,000. OCR found failure to conduct an accurate and thorough risk analysis.

  • Assured Imaging — breach affecting 244,813 individuals, settlement of $375,000. OCR found impermissible disclosure of PHI, failure to conduct accurate and thorough risk analysis, and failure to timely notify affected individuals.

  • Consociate Health — breach affecting approximately 136,539 individuals, settlement of $225,000. OCR found failure to conduct an accurate and thorough risk analysis after a phishing-related compromise led to unauthorized access.

  • Star Group Health Benefits Plan — breach affecting approximately 9,316 individuals, settlement of $245,000. OCR found impermissible disclosure of PHI and failure to conduct an accurate and thorough risk analysis.

 

I am glad regulators are addressing uncomfortable topics, especially failures in basic security practices. Medical data is highly sensitive, healthcare organizations are frequently attacked, ransomware remains one of the most common and destructive threats, and many parts of the sector still operate with a relatively low level of cybersecurity maturity.

 

Working with different organizations in the sector, I have seen recurring problems: security documentation disconnected from daily practice, underfunded IT and security teams, gaps in education and training, weak security tooling, limited monitoring, and compliance programs that sometimes simulate maturity instead of building it.

 

I hope that if regulatory action and financial penalties are not enough, then the operational reality of ransomware will become a turning point.


 
 
 

Comments

Stay in touch

office@itgrcadvisory.com

ITGRC ADVISORY LTD. 

590 Kingston Road, London, 

United Kingdom, SW20 8DN

​company  number: 12435469

Privacy policy

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
bottom of page