Ransomware Attack Results in $950,000 HIPAA Settlement

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a $950,000 settlement with Heritage Valley Health System for HIPAA Security Rule violations. Heritage Valley has hospitals and other medical facilities in Ohio, Pennsylvania, and West Virginia.  

The Ransomware Attack and Following Investigation

Heritage Valley was the victim of a ransomware attack in 2017.  A malware virus known as Petya impacted the entire health system, forcing the closure of lab and diagnostic services, surgery cancellations, and other interruptions. Heritage Valley sued Nuance Communications, claiming the malware entered its computer system through a network connection with Nuance. A judge dismissed the case.

The OCR investigation that followed the attack found multiple potential violations of the HIPAA Security Rule. Alleged violations by Heritage Valley include:

• Failure to conduct a compliant risk analysis to determine its systems’ potential risks and vulnerabilities to electronic protected health information (ePHI).
• Failure to implement a contingency plan to respond to emergencies, like a ransomware attack, that damage systems that contain ePHI.
• Failure to implement policies and procedures to allow only authorized users access to ePHI.

The Settlement

On top of the $950,000, Heritage Valley agreed to a corrective action plan that the OCR will monitor for three years. The plan requires Heritage Valley to execute these actions:

• Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
• Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis.
• Review, develop, maintain, and revise its written policies and procedures to comply with the HIPAA Rules when necessary.
• Train their workforce on their HIPAA policies and procedures.

Previous Enforcements

This is the third, and largest, HIPAA Security Rule enforcement resulting from a ransomware attack. In October 2023, Doctors’ Management Group was hit with a $100,000 penalty and three years of compliance monitoring after a ransomware attack compromised the data of more than 206,000 people. In February 2024, Green Ridge Behavioral Health agreed to a $40,000 settlement and a corrective action plan after an attack that impacted the PHI of more than 14,000 people.

The Growing Ransomware Threat in Healthcare

Since 2018, large breach reports to the OCR involving ransomware have increased 264%. The most notable incident has been the crippling attack on Change Healthcare that had a massive impact throughout the healthcare industry.  Change Healthcare paid the group behind the attack, known as AlphV or Blackcat, a $22 million ransom.

In May 2024, Ascension Health Systems, which includes 140 hospitals across nineteen states and Washington D.C was attacked by the Black Basta ransomware. The attack took IT systems offline, causing appointments to be canceled, ambulance diversions, and other disruptions.

To learn about steps your organization can take to protect itself from ransomware and other cybersecurity risks, read our Change Healthcare Attack – What We Can Learn blog and listen to its companion podcast episode.

CompliancePoint’s team of security and privacy experts help healthcare organizations achieve HIPAA compliance and HITRUST certification. We can guide you through the design, implementation, and management of a more effective cybersecurity program. To learn more about our services, contact us today at connect@compliancepoint.com.