The Office for Civil Rights of the Department of Health and Human Services (OCR) announced on September 26, 2024, that it had entered a settlement with Cascade Eye and Skin Centers (together, Cascade) for $250,000 following an investigation of a ransomware attack against them.
This is the fourth settlement against a victim of a ransomware attack. According to the OCR’s press release, “Ransomware and hacking are the primary cyber-threats in health care. Since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks.”
The OCR’s investigation found that 291,000 files were affected by the attack. During its investigation, it alleges that Cascade potentially violated HIPAA by failing to conduct a risk analysis and to have sufficient monitoring of its systems to prevent a cyber-attack.
The settlement is a stark reminder to covered entities and business associates that even if you are a victim of a criminal attack, you are still required to follow HIPAA. Having a robust HIPAA compliance program in place is essential to protecting against threats and possible enforcement actions. Many HIPAA-regulated entities are reviewing their HIPAA compliance programs at this time to address the recent amendment to HIPAA regarding reproductive health information. For instance, Notice of Privacy Practices are required to be updated by December 2024. Now is the time to review and update your HIPAA compliance program.
This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.