Fran Ciardullo, special counsel, had her “Recent Enforcement Actions Demonstrate That Cyberattacks Present Huge HIPAA Liability for Medical Practices” article published in the December 2024 issue of New York Beat, the monthly enewsletter from the New York Medical Group Management Association (NYMGMA). The article discusses recent enforcement actions by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which underscore the significant HIPAA liability faced by medical practices due to ransomware attacks.
Cyberthreats in health care have surged, with reported ransomware breaches of electronic health information increasing by 264 percent since 2018. In October 2023, OCR imposed its first ransomware-related fine, settling with a business associate for $100,000. In the following year, OCR announced several enforcement actions, including penalties against Cascade Eye and Skin Centers, Providence Medical Institute, Plastic Surgery Associates of South Dakota, and Bryan County Ambulance Authority. These settlements highlighted violations such as inadequate risk analysis, lack of system monitoring, and absence of required business associate agreements, with penalties ranging from $90,000 to $500,000.
These cases emphasize the critical need for HIPAA-covered entities to proactively protect electronic protected health information (ePHI) through robust compliance efforts. Fran’s article provides steps health care providers can take to mitigate risks and avoid substantial penalties, including conducting thorough risk analyses, implementing risk management plans, monitoring system activities, and ensuring vendor compliance through business associate agreements. The article also notes additional protective measures, such as multifactor authentication, encryption of ePHI, and regular workforce training, which are crucial for maintaining data security. OCR’s intensified focus on cybersecurity compliance serves as a warning for health care organizations to strengthen their defenses against the growing threat of ransomware.
Click here to read the full article.