A U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigation into a series of ransomware attacks against an orthopedic group has left Providence Medical Institute with a $240,000 civil monetary penalty.
Providence Medical Institute is a California-based physician services organization with 275 providers who work in 35 medical offices throughout Southern California. In 2016, Providence Medical Institute acquired Center for Orthopaedic Specialists, a California-based orthopedic group.
After the acquisition, Center for Orthopaedic Specialists began to transition to Providence Medical Institute’s network. Before the transition was complete, Center for Orthopaedic Specialists was hit with three ransomware attacks, all by the same attacker over three consecutive Sundays.
According to the OCR findings of fact, the compromised data included electronic protected health information (ePHI) belonging to 85,000 individuals. Additionally, the OCR found, the compromised information included:
- “names,
- addresses,
- dates of birth,
- driver’s license numbers,
- Social Security numbers,
- lab results,
- medications,
- treatment information,
- credit card information,
- bank account numbers, and other financial information.”
According to an HHS press release, “OCR found two potential violations of the HIPAA Security Rule, including failure to have a business associate agreement in place and failure to implement policies and procedures to allow only authorized persons or software programs access to ePHI.” Providence Medical Institute did not contest OCR’s findings or the civil monetary penalty of $240,000.
In the HHS press release, OCR Director Melanie Fontes Rainer commented, “Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information.”
Rainer continued, “The health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.”
Ransomware attacks and hacking are a serious issue for the health care industry. According to the HHS press release, “there has been a 264% increase in large breaches reported to OCR involving ransomware attacks since 2018.”
This threat should not come as a surprise to OTW readers. OTW has covered countless cyberattacks against orthopedic groups and others in the medical industry. For OTW’s previous coverage of cyberattacks, see “Who Pays for a Data Breach?,” “Bienville Orthopaedic Specialists Sued Over Data Breach,” “The Price of a Data Breach,” “Banner Health Agrees to Pay $6 Million for Data Breach,” “Victims Can Sue Ortho Clinics if Data Hacked,” and “Anthem Pays a Record $16 Million to Settle Data Breach.”
