The Double Threat: Ransomware Attack Followed by HIPAA Non-Compliance Settlement
Imagine getting a papercut then moments later, cleansing your hands with alcohol hand sanitizer—you can almost feel the instantaneous sting the alcohol causes in the fresh wound. Not only are you subjected to the initial affliction, but also the second round of pain from the alcohol in the wound. Now, imagine a deeper “cut” directed this time at your pharmacy. The initial barrage is a malicious ransomware attack to capture your pharmacy’s electronic protected health information (ePHI), and the secondary “sting” comes when the Office for Civil Rights (OCR) investigates the pharmacy’s policies and procedures. The pharmacy then forks over a hefty monetary settlement for HIPAA Rule non-compliance. Ouch!
A health system servicing patients in Pennsylvania, Ohio and West Virginia found themselves in this exact scenario. According to the published OCR Resolution Agreement and Corrective Action Plan, the OCR initiated a compliance review of Heritage Valley Health System (HVHS) after media reports that HVHS experienced a data security incident. The following HIPAA Security Rule non-compliance issues were identified:
- Failure to “conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its ePHI”
- Failure to “establish and implement policies and procedures for responding to an emergency or other occurrence, such as a fire, vandalism, system failure, and natural disaster, that damages systems that contain ePHI”
- Failure to “implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights”
HVHS settled with OCR for a whopping $950,000, agreed to three years of OCR monitoring, and were required to take steps to resolve potential violations of the HIPAA Security Rule.
In addition to detailing the settlement with HVHS, OCR’s July 1, 2024 press release stated there has been a 264% increase in large breaches reported to OCR involving ransomware attack since 2018. This alarming statistic reflects the harsh reality that pharmacies, and their ePHI, are targets for criminals. Pharmacies are directly in the crosshairs of malicious actors and pharmacy owners [and employees] must take steps to safeguard their data. Not only is it the law, but it is your data, reputation, time and money on the line!
PAAS Tips:
- Develop and implement policies and procedures to safeguard ePHI
- For 15 years, PAAS FWA/HIPAA compliance program has been helping community pharmacies be compliant. Had HVHS implemented PAAS’ program, they would have not had the resulting non-compliance issues and resulting fines.
- Ensure all staff handling ePHI receive training on a regular basis to understand their role in protecting ePHI and the implications of non-compliance, as well as intentional misuse (i.e., breach, fines, exclusion from Medicare/Medicaid, imprisonment, etc.)
- At least once a year, the Security Officer should perform a thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI
- PAAS’ FWA/HIPAA Compliance Program members can update their HIPAA Risk Analysis, complete HIPAA training and Cybersecurity training on the PAAS Portal
I enjoy assisting pharmacy staff both pre- and post-audit and enjoy providing them with knowledge and tools to decrease audit risk going forward. I write articles for Third-Party Newsline each month and answer member questions daily. I look forward to building professional relationships with each of our members and assisting you with your next audit.
- The Double Threat: Ransomware Attack Followed by HIPAA Non-Compliance Settlement - August 30, 2024
- Do The Math and Avoid the Recoupment - August 8, 2024
- NEW Dispense as Written (DAW) Code Revealed - July 31, 2024
